int sht11(void)
{
if(orcSHT->sh_type != SHT_DYNAMIC &&
orcSHT->sh_type != SHT_HASH &&
orcSHT->sh_type != SHT_GNU_HASH)
return 0;
Elf_Word l;
if(rand() % 2)
orcSHT->sh_info = 1 + (rand() % (orcHDR->e_shnum - 1));
else
orcSHT->sh_info = getElf_Word();
if(orcSHT->sh_type == SHT_DYNAMIC){
if(mode & DYN){
if(rand() % 2){
fprintf(logfp, "(SHT[%d]->sh_info = 0x%x)", sh, orcSHT->sh_info);
return 1;
} else {
if(rand() % 4 < 3){
while((l = 1 + (rand() % (orcHDR->e_shnum - 1))))
if(orcOrigSHT[l].sh_type != SHT_STRTAB)
break;
} else
l = (Elf_Word) getElf_Half();
orcSHT->sh_link = l;
}
} else {
if(rand() % 2)
orcSHT->sh_link = 1 + (rand() % (orcHDR->e_shnum - 1));
else
orcSHT->sh_link = (Elf_Word) getElf_Half();
}
} else { // HASH
if(rand() % 4 < 3){
while((l = 1 + (rand() % (orcHDR->e_shnum - 1))))
if(orcOrigSHT[l].sh_type != SHT_SYMTAB && orcOrigSHT[l].sh_type != SHT_DYNSYM)
break;
} else
l = (Elf_Word) getElf_Half();
orcSHT->sh_link = l;
}
fprintf(logfp, "(SHT[%d]->sh_link = 0x%x,", sh, orcSHT->sh_link);
fprintf(logfp, " sh_info = 0x%x)", orcSHT->sh_info);
return 1;
}
int hdr14(void)
{
if(mode & SHT)
return 0;
orcHDR->e_shoff = getElf_Off();
orcHDR->e_shnum = getElf_Half();
orcHDR->e_shentsize = getElf_Half();
fprintf(logfp, "(HDR->e_shoff = 0x"HEX",", orcHDR->e_shoff);
fprintf(logfp, " e_shnum = 0x%x,", orcHDR->e_shnum);
fprintf(logfp, " e_shentsize = 0x%x)", orcHDR->e_shentsize);
return 1;
}
int hdr7(void)
{
orcHDR->e_ehsize = getElf_Half();
fprintf(logfp, "(HDR->e_ehsize = 0x%x)", orcHDR->e_ehsize);
return 1;
}
int hdr9(void)
{
if((rand() % 4) < 3){ // 75% chance
if(mode & SHT)
return 0;
orcHDR->e_shentsize = getElf_Half();
orcHDR->e_shnum = getElf_Half();
fprintf(logfp, "(HDR->e_shentsize = 0x%x,", orcHDR->e_shentsize);
fprintf(logfp, " e_shnum = 0x%x)", orcHDR->e_shnum);
} else {
orcHDR->e_shentsize = 0;
fprintf(logfp, "(HDR->e_shentsize = 0x00)");
}
return 1;
}
int pht10(void)
{
if(rand() % 2)
orcPHT->p_flags = getElf_Half();
else
orcPHT->p_flags |= PF_MASKPROC;
fprintf(logfp, "(PHT[%d]->p_flags = 0x%x)", ph, orcPHT->p_flags);
return 1;
}
int hdr3(void)
{
Elf_Half e_type;
if(rand() % 2) // 50% chance
e_type = getElf_Half() % ET_NUM;
else {
if((rand() % 4) < 3){ // .5 * .75 = 37.5% chance
while((e_type = (getElf_Half() % ET_HIPROC)))
if(e_type >= 5 && e_type <= ET_HIPROC)
break;
} else // .5 * .25 = 12.5% chance
e_type = 0;
}
orcHDR->e_type = e_type;
fprintf(logfp, "(HDR->e_type = 0x%x)", orcHDR->e_type);
return 1;
}
void fuzzSize()
{
if((rand() % 4) < 3){ // 75% chance
if(rand() % 2)
#if defined(__i386__) || defined(__ANDROID_API__)
orcSHT->sh_size = getElf_Word();
#elif defined(__x86_64__)
orcSHT->sh_size = getElf_Xword();
#endif
else
orcSHT->sh_size = getElf_Half();
} else
int hdr4(void)
{
if((rand() % 4) < 3){ // 75% chance
while((orcHDR->e_machine = getElf_Half()))
if(orcHDR->e_machine > 16)
break;
} else
orcHDR->e_machine = 0;
fprintf(logfp, "(HDR->e_machine = 0x%x)", orcHDR->e_machine);
return 1;
}
int rel1(void)
{
if(rand() % 3 < 2)
return 0;
if(orcHDR->e_type == ET_REL) {
if(orcSHT->sh_type == SHT_REL)
orcREL->r_offset = getElf_Half();
else
orcRELA->r_offset = getElf_Half();
} else if(orcHDR->e_type == ET_EXEC || orcHDR->e_type == ET_DYN) {
if(orcSHT->sh_type == SHT_REL)
orcREL->r_offset = getElf_Addr();
else
orcRELA->r_offset = getElf_Addr();
} else
return 0;
fprintf(logfp, "(REL[%d]->r_offset = 0x"HEX")", entry, orcSHT->sh_type == SHT_REL ? orcREL->r_offset : orcRELA->r_offset);
return 1;
}
int sht13(void)
{
if(orcSHT->sh_type != SHT_SYMTAB &&
orcSHT->sh_type != SHT_DYNSYM)
return 0;
if(mode & REL) // In REL, sh_link is the associated symbol table
if(rand() % 3 < 2)
return 0;
if(mode & SYM)
if(rand() % 2)
return 0;
if(rand() % 2){
if(rand() % 2)
orcSHT->sh_info = 1 + (rand() % (orcHDR->e_shnum - 1));
else
orcSHT->sh_info = (Elf_Word) getElf_Half();
Elf_Word l;
if(rand() % 4 < 3){
while((l = 1 + (rand() % (orcHDR->e_shnum - 1))))
if(orcOrigSHT[l].sh_type != SHT_STRTAB)
break;
} else
l = (Elf_Word) getElf_Half();
orcSHT->sh_link = l;
} else
return 0;
fprintf(logfp, "(SHT[%d]->sh_link = 0x%x,", sh, orcSHT->sh_link);
fprintf(logfp, " sh_info = 0x%x)", orcSHT->sh_info);
return 1;
}
void fuzzName()
{
if(rand() % 3 == 0){
if(rand() % 2)
orcSHT->sh_name = getElf_Word();
else
orcSHT->sh_name = getElf_Half();
} else {
if(rand() % 3 == 0)
orcSHT->sh_name = 0x00;
else
orcSHT->sh_name = (rand() % 0xff);
}
}
int sht12(void)
{
if(orcSHT->sh_type != SHT_REL &&
orcSHT->sh_type != SHT_RELA)
return 0;
Elf_Word l;
if(mode & REL){
if(rand() % 2){
if(rand() % 2)
orcSHT->sh_info = 1 + (rand() % (orcHDR->e_shnum - 1));
else
orcSHT->sh_info = getElf_Word();
fprintf(logfp, "(SHT[%d]->sh_info = 0x%x)", sh, orcSHT->sh_info);
return 1;
} else
return 0;
} else {
if(rand() % 4 < 3){
while((l = 1 + (rand() % (orcHDR->e_shnum - 1))))
if(orcOrigSHT[l].sh_type != SHT_SYMTAB && orcOrigSHT[l].sh_type != SHT_DYNSYM)
break;
} else
l = (Elf_Word) getElf_Half();
orcSHT->sh_link = l;
if(rand() % 2)
orcSHT->sh_info = 1 + (rand() % (orcHDR->e_shnum - 1));
else
orcSHT->sh_info = getElf_Word();
}
fprintf(logfp, "(SHT[%d]->sh_link = 0x%x,", sh, orcSHT->sh_link);
fprintf(logfp, " sh_info = 0x%x)", orcSHT->sh_info);
return 1;
}
int hdr10(void)
{
if(mode & (STRS | NOTE | DYN | SYM | REL))
return 0;
if(mode & SHT)
if(rand() % 3 < 2)
return 0;
if((rand() % 4) < 3) // 75% chance
orcHDR->e_shstrndx = rand() % elfHDR->e_shnum;
else {
if(rand() % 2)
orcHDR->e_shstrndx = getElf_Half();
else
orcHDR->e_shstrndx = 0;
}
fprintf(logfp, "(HDR->e_shstrndx = 0x%x)", orcHDR->e_shstrndx);
return 1;
}
int pht8(void)
{
if(orcPHT->p_type != PT_NOTE)
return 0;
if(mode & NOTE)
return 0;
#if defined(__i386__)
Elf_Word p_filesz;
#elif defined(__x86_64__)
Elf_Xword p_filesz;
#endif
while((p_filesz = getElf_Half()))
if(p_filesz % sizeof(Elf_Word) != 0)
break;
orcPHT->p_filesz = p_filesz;
fprintf(logfp, "(PHT[%d]->p_filesz = 0x"HEX")", ph, orcPHT->p_filesz);
return 1;
}