程序代写代做代考 ## Part 1

## Part 1

**The URL found:
[https://cs.adelaide.edu.au/~yval/SP18/assignment2.pdf!](https://cs.adelaide.edu.au/~yval/SP18/assignment2.pdf)

### Step 1 get MLEN

This step is easy, When i input `54`, it outputs `Index 54 out of bounds`, but it can outputs the bytes at

message[53]. In this way, I know `MLEN = 54`.

### Step 2 get message

This step is also easy, I just input 0 to 53 and to the the bytes of `message` array .

## Step 3 get key

This step is very challenging.

I make use of the integer overflow vulnerability of `atoi` function.

“`
int i = atoi(inbuf);
“`

I input `4294967295` ($2^{32}-1$ ) which lead to `i = -1`, `4294967294` to get `i = -2` and so on.

This make the program outputs Bytes at message[-1], message[-2], ……

The address of array `key` is smaller than `message`. Thus, message[-1], message[-2]… may have the bytes of `key` array.

I get the bytes of message[-1], message[-2], ……

And observe that from message[-1] to message[-10] are all 0. But from message[-10], the content is not 0.

Thus, I guess message[-11] is key[53], message[-2] is key[52], …. message[-64] is key[0]

### Step 4 compute the URL

Since I get the `message` and `key`, then the byte of URL is the xor of corresponding byte of message and key.

Under part-1 directory, `results.txt` is the contents of `message` and `key` got through telnet. `compute.py` is used to compute the url using `message` and `key`.

## Part 3

I use `american fuzzy lop ` tool to fuzz the calc software of BigNum-2, BigNum-4 and BigNum-5.

The following is the steps to fuzz BigNum-2, the steps for the other two are the same.

### Step 1

Modify the makefile to use `afl-clang`

“`
main: main.c bn.c
../afl-2.52b/afl-clang –std=gnu99 -O2 -Wall -o calc main.c bn.c
“`

### Step 2

Compile using the updated makefile

“`
Admin@BigNum-2 $make
gcc -c bn.c -o bignum.o -Wall
ar -rcs libbn.a bignum.o
../afl-2.52b/afl-clang –std=gnu99 -O2 -Wall -o calc main.c bn.c
afl-cc 2.52b by
afl-as 2.52b by
[+] Instrumented 63 locations (64-bit, non-hardened mode, ratio 100%).
afl-as 2.52b by
[+] Instrumented 174 locations (64-bit, non-hardened mode, ratio 100%).
“`

### Step 3

Create a new directory `test_cases` under `part2/BigNum-2` and add the test input files.

### Step 4

Using following command to start the testing. This command tells the fuzzer to use test input in the director ./test_cases/ and store the results in `find`. `find/crashes` and `find/hangs` stores the inputs that cause the software to crash and hang.

“`
../afl-2.52b/afl-fuzz -i ./test_cases/ -o find ./calc
“`

### Bugs found summary

I successfully use the too to find the test inputs that cause the software to crash or hang for all 3 versions of solution. `part-3/BigNum-*/find/crashes` stores the inputs that cause the software to crash and `part-3/BigNum-*/find/hangs` stores the inputs that cause the software to hang.

| solution | run time | **uniq crashes** | **uniq hangs** |
| ——– | ——————— | —————- | ————– |
| BigNum-2 | 7 hrs, 16 min, 41 sec | 4 | 1 |
| BigNum-4 | 3 hrs, 1 min, 26 sec | 83 | 0 |
| BigNum-5 | 7 hrs, 11 min, 14 sec | 51 | 2 |

### Screenshots

![](2.png)
![](3.png)
![](4.png)

| BigNum-2 | BigNum-4 | BigNum-5 |
| ———- | ———- | ———- |
| ![](2.png) | ![](4.png) | ![](5.png) |