fuzz Acrobat jp2klib超级慢的不知名原因

根据两篇文章，代码抄抄改改，写了个fuzz Acrobat程序jp2klib.dll的harness，但是不知道为啥winafl跑起来巨慢

参考的两篇文章：

• https://research.checkpoint.com/2018/50-adobe-cves-in-50-days/
• https://github.com/ronwai/jp2k_fuzz/blob/master/JP2KLoader.cpp

我自己写的代码：

#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <iostream>
#include <intrin.h>
#include <stdio.h>

// #define DEBUG

typedef int (*pfunc_t) (); 
typedef int (*JP2KLibInitEx_func_t)(void*);
typedef void* (*JP2KGetMemObjEx_func_t)();
typedef void* (*JP2KDecOptCreate_func_t)();
typedef int (*JP2KDecOptInitToDefaults_func_t)(void*);
typedef void* (*JP2KImageCreate_func_t)();
typedef int (*JP2KImageInitDecoderEx_func_t)(void*,void*,void*,void*,void*);
typedef void* (*JP2KCodeStm_return_arg0)(void*);
typedef void (*JP2KCodeStm_Die)(void*);
typedef int (*JP2KCodeStm_Read)(void*,void*, int);
typedef int (*JP2KCodeStm_Seek)(int, int);
typedef int (*JP2KCodeStm_Write)(void*,void*, int);
typedef int (*JP2KCodeStm_TellPos)(void*);
typedef int (*JP2KCodeStm_IsSeekAble)(void*);
typedef int (*JP2KCodeStm_IsReadAble)(void*);           
typedef int (*JP2KCodeStm_IsWriteAble)(void*);
typedef void* (*JP2KImageDataCreate_func_t)(void);
typedef int (*JP2KImageGetMaxRes_func_t)(void*);
typedef int (*JP2KImageDecodeTileInterleaved_func_t)(void*, int, int, int, int, int, void*);
typedef void (*JP2KImageDataDestroy_func_t)(void*);
typedef void (*JP2KImageDestroy_func_t)(void*);
typedef void (*JP2KDecOptDestroy_func_t)(void*);


JP2KLibInitEx_func_t JP2KLibInitEx_func;
JP2KGetMemObjEx_func_t JP2KGetMemObjEx_func;
JP2KDecOptCreate_func_t JP2KDecOptCreate_func;
JP2KDecOptInitToDefaults_func_t JP2KDecOptInitToDefaults_func;
JP2KImageCreate_func_t JP2KImageCreate_func;
JP2KImageInitDecoderEx_func_t JP2KImageInitDecoderEx_func;
JP2KImageDataCreate_func_t JP2KImageDataCreate_func;
JP2KImageGetMaxRes_func_t JP2KImageGetMaxRes_func;
JP2KImageDecodeTileInterleaved_func_t JP2KImageDecodeTileInterleaved_func;
JP2KImageDataDestroy_func_t JP2KImageDataDestroy_func;
JP2KImageDestroy_func_t JP2KImageDestroy_func;
JP2KDecOptDestroy_func_t JP2KDecOptDestroy_func;


#define LOAD_FUNC(h,n)								\
	n##_func = (n##_func_t)GetProcAddress(h,#n);	\
	if(!n##_func){									\
		printf("failed to load function " # n "\n");\
		exit(1);									\
	}

#define NOP(x)										\
	int nop##x(){									\
		printf("==> nop%d called, %p\n",##x,_ReturnAddress());	\
		return (DWORD)x;							\
	}

NOP(0)
NOP(1)
NOP(2)
NOP(3)
NOP(4)
NOP(5)
NOP(6)
NOP(7)
NOP(8)

void* init_something() {
	return malloc(0x14);
}

void* malloc_1(int size) {
#ifdef DEBUG
	printf("malloc 0x%x byte\n", size);
#endif
	return malloc(size);
}

void* memset_1(void* dst, int value, int size) {
#ifdef DEBUG
	printf("memset(0x%p,0x%x,0x%x)\n",dst, value, size);
#endif
	memset(dst, value, size);
	return dst;
}

void* memcpy_1(void* dst, void* src, int size) {
#ifdef DEBUG
	printf("memcpy(0x%p,0x%p,0x%x)\n",dst,src,size);
#endif
	memcpy(dst, src, size);
	return dst;
}

void free_1(void* p) {
#ifdef DEBUG
	printf("free(0x%p)\n", p);
#endif
	free(p);
}

int ret_1() {
	return 1;
}

void* return_arg0_func(void* arg0) {
	return arg0;
}

struct MemObjEx {
	// void* (__cdecl* init_something_)(void);		// need implement
	pfunc_t funcs_0;
	pfunc_t funcs_1;
	pfunc_t funcs_2;
	pfunc_t funcs_3;
	void* (__cdecl* malloc_1)(int);
	void (__cdecl* free_1)(void*);
	void* (__cdecl* memcpy_1)(void*,void*,int);
	pfunc_t funcs_7;
	void* (__cdecl* memset_1)(void*, int, int);
};

struct decOpt
{
	DWORD unk_1;
	DWORD unk_2;
	DWORD unk_3;
	DWORD unk_4;
	DWORD unk_5;
	DWORD unk_6;
};

struct stmProcs {
	JP2KCodeStm_return_arg0 return_arg0;
	JP2KCodeStm_Die die;
	JP2KCodeStm_Read read;
	JP2KCodeStm_Write write;
	JP2KCodeStm_Seek seek;
	JP2KCodeStm_TellPos tellPos;
	JP2KCodeStm_IsSeekAble seek_able;
	JP2KCodeStm_IsReadAble read_able;
	JP2KCodeStm_IsWriteAble write_able;
};

struct file_t {
	int pos;
	char* buf;
	DWORD filesize;
};


file_t global_file_obj;


// define our function
int my_read(void* dummy_this,void* buf,int size) {
#ifdef DEBUG
	printf("in my_read memcpy(0x%p,0x%p,0x%x)\n",buf,global_file_obj.buf+global_file_obj.pos,size);
#endif
	int byteRead = global_file_obj.pos + size > global_file_obj.filesize ?
		global_file_obj.filesize - global_file_obj.pos : size;

	memcpy(buf, global_file_obj.buf + global_file_obj.pos, byteRead);

	return byteRead;
}

int my_seek(int flags, int offset) {
	switch (flags) {
	case 0: 
	case 1: {
		global_file_obj.pos += offset;
		break;
	}
	case 2: {
		global_file_obj.pos = global_file_obj.filesize;
		break;
	}
	default:
		break;
	}
	return global_file_obj.pos;
}

void my_die(void* t) {
	return;
}

int my_write(void* dummy_this,void* dst, int size) {
#ifdef DEBUG
	printf("in my_write : memcpy(0x%p,0x%p,0x%x)\n", dst, global_file_obj.buf + global_file_obj.pos, size);
#endif
	memcpy(dst, global_file_obj.buf + global_file_obj.pos, size);
	global_file_obj.pos += size;
	return size;
}

int my_tellPos(void* dummy) {
	return global_file_obj.pos;
}

int is_read_able(void* dummy) {
	return 1;
}

int is_seek_able(void* dummy) {
	return 1;
}

int is_write_able(void* dummy) {
	return 0;
}

void init_file_obj(file_t* fileobj, const char* filename) {
	/*
	FILE* fp = fopen(filename, "rb");
	if (fp == NULL)
		exit(0);
	fseek(fp,0,SEEK_END);
	fileobj->filesize = ftell(fp);
	fseek(fp, 0, SEEK_SET);
	fileobj->buf = new char[fileobj->filesize+4];
	fileobj->pos = 0;
	fread(fileobj->buf, 1, fileobj->filesize, fp);
	fclose(fp);
	*/
	HANDLE hFILE = CreateFileA((LPCSTR)filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

	DWORD bytestoread;
	DWORD filesize = GetFileSize(hFILE, NULL);
	fileobj->filesize = filesize;
	fileobj->buf = new char[filesize + 4];
	fileobj->pos = 0;
	ReadFile(hFILE,fileobj->buf,filesize,&bytestoread,NULL);
	// printf("hFILE %d, file size : %d, bytestoRead : %d\n",hFILE, filesize, bytestoread);
	CloseHandle(hFILE);
}

extern "C" __declspec(dllexport) int fuzz_me(char* filename);


void* mem_obj;
MemObjEx memobj;
decOpt decopt_obj;
stmProcs* stmProc = new stmProcs;
char* unknown3[0x100];

int fuzz_me(char* filename) {
	memset(unknown3, 0, 0x100);

	void* opt_obj = JP2KDecOptCreate_func();
	JP2KDecOptInitToDefaults_func(opt_obj);
	void* image_obj = JP2KImageCreate_func();

#ifdef DEBUG
	printf("mem_obj = 0x%p\n", mem_obj);
	printf("image_obj = 0x%p\n", image_obj);
#endif

	
	init_file_obj(&global_file_obj, filename);

	int ret = JP2KImageInitDecoderEx_func(image_obj, &global_file_obj, stmProc, opt_obj, unknown3);
	printf("JP2KImageInitDecoderEx ret = %d\n", ret);

	// void* image_data = JP2KImageDataCreate_func();
	// int max_res = JP2KImageGetMaxRes_func(image_obj);
	// ret = JP2KImageDecodeTileInterleaved_func(image_obj,0,max_res,8,0xff,0,image_data);
	// printf("JP2KImageDecodeTileInterleaved ret = %d\n", ret);

	// JP2KImageDataDestroy_func(image_data);
	JP2KImageDestroy_func(image_obj);
	JP2KDecOptDestroy_func(opt_obj);

	delete[] global_file_obj.buf;
	return 0;
}

int main(int argc, char** argv) {
	if (argc < 2) {
		printf("Usage : %s <input file>\n", argv[0]);
		return 1;
	}
	

	memobj.funcs_0 = nop0;
	memobj.funcs_1 = nop1;
	memobj.funcs_2 = nop2;
	memobj.funcs_3 = nop3;
	memobj.malloc_1 = malloc_1;
	memobj.free_1 = free_1;
	memobj.memcpy_1 = memcpy_1;
	memobj.funcs_7 = nop7;
	memobj.memset_1 = memset_1;

	HMODULE hJp2klib = LoadLibraryA("C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\JP2Klib.dll");
	

	if (hJp2klib == NULL) {
		printf("failed to load library, last error %d\n", GetLastError());
		exit(1);
	}

	LOAD_FUNC(hJp2klib, JP2KLibInitEx);
	LOAD_FUNC(hJp2klib, JP2KGetMemObjEx);
	LOAD_FUNC(hJp2klib, JP2KDecOptCreate);
	LOAD_FUNC(hJp2klib, JP2KDecOptInitToDefaults);
	LOAD_FUNC(hJp2klib, JP2KImageCreate);
	LOAD_FUNC(hJp2klib, JP2KImageInitDecoderEx);
	LOAD_FUNC(hJp2klib, JP2KImageDataCreate);
	LOAD_FUNC(hJp2klib, JP2KImageGetMaxRes);
	LOAD_FUNC(hJp2klib, JP2KImageDecodeTileInterleaved);
	LOAD_FUNC(hJp2klib, JP2KImageDataDestroy);
	LOAD_FUNC(hJp2klib, JP2KImageDestroy);
	LOAD_FUNC(hJp2klib, JP2KDecOptDestroy);


	// JP2KCodeStm_IsSeekAble JP2KCodeStm_seekable_func = (JP2KCodeStm_IsSeekAble)GetProcAddress(hJp2klib,"?IsSeekable@JP2KCodeStm@@QAE_NXZ");
	
	// setup our vtable 
	stmProc->return_arg0 = return_arg0_func;
	stmProc->die = my_die;
	stmProc->read = my_read;
	stmProc->seek = my_seek;
	stmProc->write = my_write;
	stmProc->tellPos = my_tellPos;
	stmProc->seek_able = is_seek_able;
	stmProc->read_able = is_read_able;
	stmProc->write_able = is_write_able;

#ifdef DEBUG
	printf("JP2KLibInitEx at 0x%p\n", JP2KLibInitEx_func);
	printf("JP2KGetMemObjEx at 0x%p\n", JP2KGetMemObjEx_func);
	printf("JP2KDecOptCreate at 0x%p\n", JP2KDecOptCreate_func);
	printf("JP2KDecOptInitToDefaults at 0x%p\n", JP2KDecOptInitToDefaults_func);
	printf("JP2KImageCreate at 0x%p\n", JP2KImageCreate_func);
	printf("JP2KImageInitDecoderEx at 0x%p\n", JP2KImageInitDecoderEx_func);
	// printf("JP2KCodeStm::IsSeekable at 0x%p\n", JP2KCodeStm_seekable_func);
	printf("JP2KImageDataCreate at 0x%p\n", JP2KImageDataCreate_func);
	printf("JP2KImageGetMaxRes at 0x%p\n", JP2KImageGetMaxRes_func);
	printf("JP2KImageDecodeTileInterleaved at 0x%p\n", JP2KImageDecodeTileInterleaved_func);
	printf("JP2KImageDataDestroy at 0x%p\n", JP2KImageDataDestroy_func);
	printf("JP2KImageDestroy at 0x%p\n", JP2KImageDestroy_func);
	printf("JP2KDecOptDestroy at 0x%p\n", JP2KDecOptDestroy_func);
#endif

	JP2KLibInitEx_func(&memobj);
	mem_obj = JP2KGetMemObjEx_func();

	// fuzz func
	fuzz_me(argv[1]);
	
	return 0;
}

拿去winafl_fuzz的时候，速度居然还没有1秒一个，几乎等于没用

我自己推测的原因一个是机子性能8太行，穷啊，一个是这里面太多的内存分配释放和拷贝了，拖慢了运行的速度

最后就只能当作个harness编写练习，还是找其它的方法去了