d29b657bf4
* Add jumper * Hex Hex * Fix hex decoding * Cleanup readme * Build with musl * add mips delay slot back * Added linker script * More jump * clippy * taplo
1.3 KiB
LIBAFL_JUMPER
If you want to replace your unicorn use with libafl_qemu, this might be your tool.
It can run as stub binary.
From inside LibAFL, you can break at jmp, then mmap and load all of the memory you need,
then continue running.
Depending on your toolchain, you want to build the tool for the guest platform.
Since the loader will run inside qemu-linux-user, the target OS needs to be linux
(Of course, there might be other use cases for you).
To build this statically linked with musl libc, we can do the following:
# Install cross compiler toolchain
apt-get install gcc-arm-linux-gnueabihf
# Install the rust toolchain parts
rustup target add arm-unknown-linux-musleabi
# Build for the target. The addresses in the linker script should not be used by your target binary.
RUSTFLAGS="-C target-feature=+crt-static, -C link-self-contained=yes -C linker=arm-linux-gnueabi-gcc -C link-arg=T$(realpath linker_script.ld)" cargo build --target=arm-unknown-linux-musleabi --release
↪ Or do that for any other architecture, such as x86_64-unknown-linux-musl.
Then, you can run libafl_jumper with a hex-encoded address as parameter, and break at the libafl_jmp and (m)map your memory to the right place in memory, before continuing to run.
The jumper will then jump to the provided address.
Enjoy jumping like a little bunny.