.I am reading the book <Exploiting Software : How to Break Code> recently. I am very curious regarding the chapter of building a code coverage tool yourself. However, I still have several questions regarding it:
1. One idea is restarting the application, which we wrote back the original saved memory regions into the target application in a later breakpoint. However, shouldn't we also save all the registers during taking memory snap? Should we reset the registers also? The book did not clear this.
2. At conditional jump instruction, how do we know if this instruction is user-input related? Does this have anything to do with "boron" tag as the book talked about? What does "boron" tag mean? Based on my understanding, the principle is: while breaking at a conditional jump instruction, we may check all the general registers, if any register points to our user-supplied data we will identify this instruction as user-supplied data related. Yes? Then, how to determine if the buffer the register points to is our supplied data? I think there are many buffers in an application.
3. Is there any an existing open-source coverage tool for learning purpose? It seems the book did not provide full code as a sample.
I also have 1 or 2 other questions, however, I will save your time here and leave them at a later time.
Thanks very much for any information!
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}