answers
Part 1
The URL found:
https://cs.adelaide.edu.au/~yval/SP18/assignment2.pdf!
Step 1 get MLEN
This step is easy, When i input 54 , it outputs Index 54 out of bounds , but it can outputs
the bytes at
message[53]. In this way, I know MLEN = 54 .
Step 2 get message
This step is also easy, I just input 0 to 53 and to the the bytes of message array .
Step 3 get key
This step is very challenging.
I make use of the integer overflow vulnerability of atoi function.
I input 4294967295 ( ) which lead to i = -1 , 4294967294 to get i = -2 and so on.
This make the program outputs Bytes at message[-1], message[-2], ……
The address of array key is smaller than message . Thus, message[-1], message[-2]… may
have the bytes of key array.
I get the bytes of message[-1], message[-2], ……
And observe that from message[-1] to message[-10] are all 0. But from message[-10], the
content is not 0.
Thus, I guess message[-11] is key[53], message[-2] is key[52], …. message[-64] is key[0]
Step 4 compute the URL
Since I get the message and key , then the byte of URL is the xor of corresponding byte of
message and key.
Under part-1 directory, results.txt is the contents of message and key got through
telnet. compute.py is used to compute the url using message and key .
int i = atoi(inbuf);
https://cs.adelaide.edu.au/~yval/SP18/assignment2.pdf
Part 2
i observed the running result of serveral set of data:
a=100 : 00000000000000000000000001100100
-a=-100 : 11111111111111111111111110011100
r=4 : 00000000000000000000000000000100
a=101 : 00000000000000000000000001100101
-a=-101 : 11111111111111111111111110011011
r=1 : 00000000000000000000000000000001
a=102 : 00000000000000000000000001100110
-a=-102 : 11111111111111111111111110011010
r=2 : 00000000000000000000000000000010
a=-10000 : 11111111111111111101100011110000
-a=10000 : 00000000000000000010011100010000
r=16 : 00000000000000000000000000010000
a=0 : 00000000000000000000000000000000
-a=0 : 00000000000000000000000000000000
r=0 : 00000000000000000000000000000000
f1: i can see the function of f1 is that
Only keep 1 of the lower right-hand side of a, and turn other locations to 0.
The proof of mathematics is as follows
If a binary number is in the form of xxx1000…
Then the result that was turned to opposite number is in the form of yyy0111…
And then Plus 1,i get yyy1000…
it equal to the left side of the lowest position 1 is reversed and the right part remains
unchanged.
So there must be xxx1000…… yyy1000=0001000…
f2 : If a>=b, the result is all 1, binary -1, otherwise the result is 0..
The proof of mathematics is as follows
First, the Da x>>31 corresponds to the right shift of the highest position of X to 31 times, and
the highest position of X is s.
Then the result of x>>31 is 32 s..
When a>=b, the highest position of x=a-b is 0, otherwise it is 1..
f3**:** If a! =0, return all 1, otherwise 0.
According to the 1 conclusion, if a! =0, then the form of a is xxx1000…
The form of -a is yyy1000.
So there must be xxx|yyy=111. At this time, the highest position of r= (a|-a) is 1, and the 31
position is shifted to 32 bits 1.
If a is 0, the result is obviously 0.
f4 : If c==d, return to a, otherwise return B
The proof of mathematics is as follows
If c==d, then C will be changed to 0 after c^=d, so that C will be all 0 after c= (c|-c) >>31.
So there is (a& -c) (b&c) =a| (b&0) =a|0=a at this time.
If c! =d, then C is not 0 after c^=d. According to the conclusion of F3, C is 1 when c= (c|-c) >>31 is
executed.
So there is (a& -c) (b&c) = (a&0) |b = 0|b =b at this time.
Part 3
I use american fuzzy lop tool to fuzz the calc software of BigNum-2, BigNum-4 and BigNum-
5.
The following is the steps to fuzz BigNum-2, the steps for the other two are the same.
Step 1
Modify the makefile to use afl-clang
Step 2
make command to compile using the updated makefile
Step 3
Create a new directory test_cases under part2/BigNum-2 and add the test input files.
Step 4
main: main.c bn.c
../afl-2.52b/afl-clang –std=gnu99 -O2 -Wall -o calc main.c bn.c
solution run time uniq crashes uniq hangs
BigNum-2 7 hrs, 16 min, 41 sec 4 1
BigNum-4 3 hrs, 1 min, 26 sec 83 0
BigNum-5 7 hrs, 11 min, 14 sec 51 2
BigNum-2 BigNum-4 BigNum-5
Using following command to start the testing. This command tells the fuzzer to use test input in
the director ./test_cases/ and store the results in find . find/crashes and find/hangs
stores the inputs that cause the software to crash and hang.
Bugs found summary
I successfully use the too to find the test inputs that cause the software to crash or hang for all
3 versions of solution. part-3/BigNum-*/find/crashes stores the inputs that cause the
software to crash and part-3/BigNum-*/find/hangs stores the inputs that cause the
software to hang.
Screenshots
../afl-2.52b/afl-fuzz -i ./test_cases/ -o find ./calc
Part 1
Step 1 get MLEN
Step 2 get message
Step 3 get key
Step 4 compute the URL
Part 2
Part 3
Step 1
Step 2
Step 3
Step 4
Bugs found summary
Screenshots