id summary reporter owner description type status priority milestone component version resolution keywords cc product 60 debugging module using ptrace guest Sam Hocevar "The main function of this ptrace module is to add debugging environment. At the same time its other task is find maximum possible locations where the application may crash and to find its location. Ptrace module can be invoked using -d option i.e Debugging. zzuf -r0.12 -d ./mypgm2 If the application program crashes the following options are shown:- 1.Single Step 2.View Variable 3.Continue stop child 4.Modify Variable 5.View Registers 6.Modify Registers 7.Process Id 8.View Instuctions 9.View EIP 10.View Error Table 11.Set BreakPoint 12.Help 13. Restart Process 14.Exit These are the various debugging options and also it will show the different functions with name and its start and the end eip. This can be used for setting the breakpoint. example:- Name Of Function Start Eip End Eip __libc_csu_fini 8048900 8048904 _start 80483c0 80483f2 _fini 80489a8 80489b6 __libc_csu_init 8048910 804891c __i686.get_pc_thunk.bx 8048979 804897c main 8048494 80488f5 _init 8048310 8048326 It will also show ch.pid=6506 read count=4 crash=1 seed=0 sec_count=0 rerun=1 ch.pid represents the process id of current application which is under control zzuf. sec_count represents the number of system call(or fuzzing) that has been executed. After each run these sec_count is set to zero and its value is assigned to read count. Both read count and sec_count is used for controlling the fuzzing. If sec_count is greater than read count then only fuzzing occurs. crash represents the number of crashes that can be occur in application. rerun is incremented whenever the application is restarted after crash. These are the various options :- 1.Single Step This option can be used for single stepping. It will show the eip (instruction pointer) of current statement. 2.View Variable This option can be used to view the content of variable. Currently it is implemented only for global variables.For this name of variable is taken as input. 3.Continue stop child Application program stops after executing the system call (which contains fuzzing). So to continue that program this option is used. 4.Modify Variable This option can be used to modify the content of variable. Currently it is implemented only for global variables.For this name of variable is taken as input. 5.View Registers This option can be used for viewing the content of following registers EAX,EBX,ECX,EDX,ESI,EDI,EBP,ESP,EIP of application program. 6.Modify Registers This option can be used for modifying the content of following registers EAX,EBX,ECX,EDX,ESI,EDI,EBP,ESP,EIP of application program. 7.Process Id This option shows the process id of current option. 8.View Instuctions This option can be used for viewing the next few instructions. 9.View EIP This option will show the content of instruction pointer. 10.View Error Table This option will show the error table. example:- Function Name Eip main 8048635 main 804883b It will give the name of function as well as the exact instruction pointer where the program crashes. This can be then mapped with utilities like (objdump/readelf). 11.Set BreakPoint This option can be used for setting the break point. This option take eip as input(as a decimal value). So it will set the break point at that instruction pointer. Note: Please try to set the break point before any system call (where fuzzing occurs). Eip of application can be taken from utilities like (objdump/readelf). 12.Help This option will show the help. 13. Restart Process This option is used to restart the application program when it crashes. If the following messages comes then give option 13 as input ""Program Has Been Crashed !!!!! Please Give Option 13 so as to restart the Process"" ""Program Execution Is Over"" 14.Exit This option can terminate the whole application. " enhancement new major core SVN maheshebhole@gmail.com zzuf