[Tritonのインストール手順] =Ubuntu 16.04を用意 以下からUbuntu 16.04をインストール: http://releases.ubuntu.com/16.04/ EC2 instanceの場合は、以下を利用可能: instance-store: ubuntu/images/ubuntu-xenial-16.04-amd64-server-20160721 - ami-8bbc47ea (有料) または ebs: ubuntu/images/ebs-ssd/ubuntu-xenial-16.04-amd64-server-20160721 - ami-e5b64d84 (無料枠あり。最終的には高い?) =コンパイル環境 sudo apt-get update sudo apt-get install git gcc g++ make cmake =libboost, libpython apt-cache policy libboost-all-dev →1.55以上であることを確認。Ubuntu 14.04だと、このバージョ ンが古くてNG sudo apt-get install libboost-all-dev libpython-all-dev =libcapstone sudo apt-get install libcapstone-dev libcapstone3 =libz3 git clone https://github.com/Z3Prover/z3.git cd z3 python scripts/mk_make.py cd build make sudo make install →時間がかかる =Pin cd wget http://software.intel.com/sites/landingpage/pintool/downloads/pin-2.14-71313-gcc.4.4.7-linux.tar.gz tar zxvf pin-2.14-71313-gcc.4.4.7-linux.tar.gz cd pin-2.14-71313-gcc.4.4.7-linux/source/tools/ =Triton git clone https://github.com/JonathanSalwan/Triton.git cd Triton mkdir build cd build cmake -DPINTOOL=on -DKERNEL4=on .. make cd .. = Linux Security Module: Yamaの設定 sudo su echo 0 > /proc/sys/kernel/yama/ptrace_scope exit (参考) 0 => Classic ptrace: a process can PTRACE_ATTACH to any other process running under the same uid, as long as it is dumpable. . https://labs.portcullis.co.uk/blog/using-intel-pin-tools-for-binary-instrumentation/ =インストールの確認 ./triton ./src/examples/pin/ir.py /usr/bin/id = ツールの実行 $ ./triton ./src/tools/code_coverage.py ./src/samples/crackmes/crackme_regex_fsm a [+] Take Snapshot [+] In main [+] In main() we set : [0x7ffdfdef25a6] = 61 a [0x7ffdfdef25a7] = 61 a [0x7ffdfdef25a8] = 61 a [0x7ffdfdef25a9] = 61 a [0x7ffdfdef25aa] = 61 a [0x7ffdfdef25ab] = 61 a [0x7ffdfdef25ac] = 61 a [0x7ffdfdef25ad] = 61 a Bad boy. [+] Exit point {140728863761830L: 72L} {140728863761830L: 0L} {140728863761830L: 251L, 140728863761831L: 72L} {140728863761830L: 251L, 140728863761831L: 0L} {140728863761832L: 72L, 140728863761830L: 255L, 140728863761831L: 251L} {140728863761832L: 0L, 140728863761830L: 255L, 140728863761831L: 251L} {140728863761832L: 255L, 140728863761833L: 72L, 140728863761830L: 255L, 140728863761831L: 254L} {140728863761832L: 255L, 140728863761833L: 0L, 140728863761830L: 255L, 140728863761831L: 254L} {140728863761832L: 255L, 140728863761833L: 255L, 140728863761834L: 72L, 140728863761830L: 255L, 140728863761831L: 255L} {140728863761832L: 255L, 140728863761833L: 255L, 140728863761834L: 0L, 140728863761830L: 255L, 140728863761831L: 255L} {140728863761830L: 255L, 140728863761831L: 255L, 140728863761832L: 255L, 140728863761833L: 255L, 140728863761834L: 253L, 140728863761835L: 72L} {140728863761830L: 255L, 140728863761831L: 255L, 140728863761832L: 255L, 140728863761833L: 255L, 140728863761834L: 253L, 140728863761835L: 0L} {140728863761830L: 255L, 140728863761831L: 255L, 140728863761832L: 255L, 140728863761833L: 255L, 140728863761834L: 255L, 140728863761835L: 255L, 140728863761836L: 72L} {140728863761830L: 255L, 140728863761831L: 255L, 140728863761832L: 255L, 140728863761833L: 255L, 140728863761834L: 255L, 140728863761835L: 255L, 140728863761836L: 0L} {140728863761830L: 255L, 140728863761831L: 255L, 140728863761832L: 255L, 140728863761833L: 255L, 140728863761834L: 255L, 140728863761835L: 239L, 140728863761836L: 255L, 140728863761837L: 72L} {140728863761830L: 255L, 140728863761831L: 255L, 140728863761832L: 255L, 140728863761833L: 255L, 140728863761834L: 255L, 140728863761835L: 239L, 140728863761836L: 255L, 140728863761837L: 0L} [+] Restore snapshot [+] In main [+] In main() we set : [0x7ffdfdef25a6] = ff [0x7ffdfdef25a7] = ff [0x7ffdfdef25a8] = ff [0x7ffdfdef25a9] = ff [0x7ffdfdef25aa] = ff [0x7ffdfdef25ab] = ef [0x7ffdfdef25ac] = ff [0x7ffdfdef25ad] = 0 Bad boy. 以下続く