hack main.c to measure instructions

2024-06-18 17:13:31 +02:00 · 2024-06-18 17:13:31 +02:00 · ccc7d889c4
commit ccc7d889c4
parent 9a0a6ebc35
4 changed files with 46 additions and 19 deletions
--- a/README_icount.txt
+++ b/README_icount.txt
@ -0,0 +1,11 @@
+# dependencies
+nix-shell
+# build qemu
+mkdir build
+cd build
+../myconfigureunsared.sh
+make -j 8
+# prepare img
+qemu-img create -f qcow2 dummy.qcow2 32M
+# run
+./qemu-system-arm 12a0 1404 -machine mps2-an385 -cpu cortex-m3 -kernel kernel.elf -serial none -icount shift=5,align=off,sleep=on -monitor none -nographic
--- a/myconfigureunshared.sh
+++ b/myconfigureunshared.sh
@ -37,7 +37,6 @@ cd build
  --disable-gtk \
  --disable-guest-agent \
  --disable-guest-agent-msi \
-  --disable-hax \
  --disable-hvf \
  --disable-iconv \
  --disable-jack \
@ -112,4 +111,4 @@ cd build
  --disable-xen \
  --disable-xen-pci-passthrough \
  --disable-xkbcommon \
-  --disable-zstd \
+  --disable-zstd \
--- a/system/main.c
+++ b/system/main.c
@ -24,6 +24,7 @@

 #include "qemu/osdep.h"
 #include "qemu-main.h"
+#include "sysemu/runstate.h"
 #include "sysemu/sysemu.h"

 #ifdef CONFIG_SDL
@ -47,6 +48,9 @@ int (*qemu_main)(void) = qemu_default_main;
 #include <stdio.h>
 #include <stdlib.h>
 #include "exec/cpu-common.h"
+void libafl_qemu_set_native_breakpoint( vaddr );
+void libafl_qemu_remove_native_breakpoint( vaddr );
+int64_t icount_get_raw(void);
 //========= Instrumentation end
 int main(int argc, char **argv)
 {
@ -56,20 +60,23 @@ int main(int argc, char **argv)
        fprintf(stderr, "Need address and input file argument\n");
        exit(1);
    }
-    hwaddr target_addr = (hwaddr) strtoll(argv[1], NULL, 16);
-    char buffer[4097];
-    FILE* inputfile = fopen(argv[2], "rb");
-    if (!inputfile) {
-        perror("fopen");
-        exit(1);
-    }
-    size_t read_len = fread(buffer, sizeof(char), 4096, inputfile);
-    buffer[read_len]=0;
-    if (!read_len) {
-        fprintf(stderr, "No input in file\n");
-        exit(1);
-    }
-    printf("Load at %lx: %s\n", target_addr, buffer);
+    hwaddr start = (hwaddr) strtoll(argv[1], NULL, 16);
+    hwaddr end = (hwaddr) strtoll(argv[2], NULL, 16);
+    // hwaddr target_addr = (hwaddr) strtoll(argv[1], NULL, 16);
+    // vm_start();
+    // char buffer[4097];
+    // FILE* inputfile = fopen(argv[2], "rb");
+    // if (!inputfile) {
+    //     perror("fopen");
+    //     exit(1);
+    // }
+    // size_t read_len = fread(buffer, sizeof(char), 4096, inputfile);
+    // buffer[read_len]=0;
+    // if (!read_len) {
+    //     fprintf(stderr, "No input in file\n");
+    //     exit(1);
+    // }
+    // printf("Load at %lx: %s\n", target_addr, buffer);
    // fix arguments for qemu
    argv[2]=argv[0];
    argv=&argv[2];
@ -78,7 +85,17 @@ int main(int argc, char **argv)
    qemu_init(argc, argv);
 //========= Instrumentation start
    // load input
-    cpu_physical_memory_rw(target_addr, buffer, read_len, true);
+    // cpu_physical_memory_rw(target_addr, buffer, read_len, true);
+    libafl_qemu_set_native_breakpoint(start);
+    vm_start();
+    qemu_main_loop();
+    libafl_qemu_remove_native_breakpoint(start);
+    libafl_qemu_set_native_breakpoint(end);
+    printf("Start: %lu\n", icount_get_raw());
+    vm_start();
+    qemu_main_loop();
+    printf("End: %lu\n", icount_get_raw());
+    return 0;
 //========= Instrumentation end
    return qemu_main();
 }
--- a/system/runstate.c
+++ b/system/runstate.c
@ -724,9 +724,9 @@ static bool main_loop_should_exit(int *status)
        vm_stop(RUN_STATE_DEBUG);

 //// --- Begin LibAFL code ---
-#ifdef AS_LIB
+// #ifdef AS_LIB // Also exit in standalone mode for debugging
        return true;    // exit back to fuzzing harness
-#endif
+// #endif
 //// --- End LibAFL code ---

    }