Configuration form edited, removed non useful options, changed item i…

…ndexes
illera88 · Sep 14, 2016 · 07ac026 · 07ac026
1 parent c36c570
commit 07ac026
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 65 deletions.
diff --git a/Ponce/src/formConfiguration.cpp b/Ponce/src/formConfiguration.cpp
@@ -17,17 +17,23 @@
 int idaapi modcb(int fid, form_actions_t &fa)
 {
 	ushort isActivated=0;
-
+	//Symbolic indexing still not implemented
+	fa.enable_field(7, 0);
+
+	//The Taint recv and Taint fread are disabled until we implemented them
+	fa.enable_field(12, 0);
+	fa.enable_field(13, 0);
 	switch (fid)
 	{
 	case -1:
 		break;
 	case -2:
 		break;
-	case 29: // Depending if argv(29) is activated we should activate 19 and 24
+	case 8: // Depending if argv(8) is activated we should activate 9, 10 and 11
 		fa.get_checkbox_value(fid, &isActivated);
-		fa.enable_field(19, isActivated ? 1 : 0);
-		fa.enable_field(24, isActivated ? 1 : 0);
+		fa.enable_field(9, isActivated ? 1 : 0);
+		fa.enable_field(10, isActivated ? 1 : 0);
+		fa.enable_field(11, isActivated ? 1 : 0);
 		break;
 	default:
 		break;
@@ -45,15 +51,14 @@ I you want to create a new checkbox you should:
 - add it to the msg at the end of the function for debug purposes*/
 void prompt_conf_window(void){
 	/*We should create as many ushort variables as groups of checkboxes we have in the form window*/
-	ushort chkgroup1, chkgroup2, chkgroup3, chkgroup4;
+	ushort chkgroup1, chkgroup2, chkgroup3;
 	ushort symbolic_or_taint_engine = 0;
 
 	if (!cmdOptions.already_configured){
 		//Here we can initialize the checkboxes by group
 		chkgroup1 = 1;
-		chkgroup2 = 1 | 2;
-		chkgroup3 = 1 | 8 | 16;
-		chkgroup4 = 1 | 8;
+		chkgroup2 = 1 | 2 | 8;
+		chkgroup3 = 1 | 2 | 8;
 
 		cmdOptions.blacklist_path[0] = '\0'; // Will use this to check if the user set some path for the blacklist
 	}
@@ -62,10 +67,9 @@ void prompt_conf_window(void){
 		after using the plugin we should set the variables to the previously set configuration. If we
 		don't do this the variables will be always initialized to  the previous lines
 		NOTE: Parenthesis are mandatory or it won't work!*/
-		chkgroup1 = (cmdOptions.showDebugInfo ? 1 : 0) | (cmdOptions.showExtraDebugInfo ? 2 : 0) | (cmdOptions.manageSymbolicIndexing ? 4 : 0) | (cmdOptions.enableTracingAsTainted ? 8 : 0);
-		chkgroup2 = (cmdOptions.automatedTainting ? 1 : 0) | (cmdOptions.taintEndOfString ? 2 : 0);
-		chkgroup3 = (cmdOptions.taintArgv ? 1 : 0) | (cmdOptions.taintArgv0 ? 2 : 0) | (cmdOptions.taintArgc ? 4 : 0) | (cmdOptions.taintRecv ? 8 : 0) | (cmdOptions.taintFread ? 16 : 0);
-		chkgroup4 = (cmdOptions.addCommentsControlledOperands ? 1 : 0) | (cmdOptions.RenameTaintedFunctionNames ? 2 : 0) | (cmdOptions.addCommentsSymbolicExpresions ? 4 : 0) | (cmdOptions.paintExecutedInstructions ? 8 : 0);
+		chkgroup1 = (cmdOptions.showDebugInfo ? 1 : 0) | (cmdOptions.showExtraDebugInfo ? 2 : 0) | (cmdOptions.manageSymbolicIndexing ? 4 : 0);
+		chkgroup2 = (cmdOptions.taintArgv ? 1 : 0) | (cmdOptions.taintEndOfString ? 2 : 0) | (cmdOptions.taintArgv0 ? 4 : 0) | (cmdOptions.taintArgc ? 8 : 0) | (cmdOptions.taintRecv ? 16 : 0) | (cmdOptions.taintFread ? 32 : 0);
+		chkgroup3 = (cmdOptions.addCommentsControlledOperands ? 1 : 0) | (cmdOptions.RenameTaintedFunctionNames ? 2 : 0) | (cmdOptions.addCommentsSymbolicExpresions ? 4 : 0) | (cmdOptions.paintExecutedInstructions ? 8 : 0);
 
 		symbolic_or_taint_engine = cmdOptions.use_symbolic_engine ? 0 : 1;	
 	}
@@ -77,7 +81,6 @@ void prompt_conf_window(void){
 		&chkgroup1,
 		&chkgroup2,
 		&chkgroup3,
-		&chkgroup4,
 		&cmdOptions.color_tainted,
 		&cmdOptions.color_tainted_condition,
 		&cmdOptions.color_executed_instruction,
@@ -104,21 +107,18 @@ void prompt_conf_window(void){
 		cmdOptions.showDebugInfo = chkgroup1 & 1 ? 1 : 0;
 		cmdOptions.showExtraDebugInfo = chkgroup1 & 2 ? 1 : 0;
 		cmdOptions.manageSymbolicIndexing = chkgroup1 & 4 ? 1 : 0;
-		cmdOptions.enableTracingAsTainted = chkgroup1 & 8 ? 1 : 0;
 		//
-		cmdOptions.automatedTainting = chkgroup2 & 1 ? 1 : 0;
+		cmdOptions.taintArgv = chkgroup2 & 1 ? 1 : 0;
 		cmdOptions.taintEndOfString = chkgroup2 & 2 ? 1 : 0;
+		cmdOptions.taintArgv0 = chkgroup2 & 4 ? 1 : 0;
+		cmdOptions.taintArgc = chkgroup2 & 8 ? 1 : 0;
+		cmdOptions.taintRecv = chkgroup2 & 16 ? 1 : 0;
+		cmdOptions.taintFread = chkgroup2 & 32 ? 1 : 0;
 		//
-		cmdOptions.taintArgv = chkgroup3 & 1 ? 1 : 0;
-		cmdOptions.taintArgv0 = chkgroup3 & 2 ? 1 : 0;
-		cmdOptions.taintArgc = chkgroup3 & 4 ? 1 : 0;
-		cmdOptions.taintRecv = chkgroup3 & 8 ? 1 : 0;
-		cmdOptions.taintFread = chkgroup3 & 16 ? 1 : 0;
-		//
-		cmdOptions.addCommentsControlledOperands = chkgroup4 & 1 ? 1 : 0;
-		cmdOptions.RenameTaintedFunctionNames = chkgroup4 & 2 ? 1 : 0;
-		cmdOptions.addCommentsSymbolicExpresions = chkgroup4 & 4 ? 1 : 0;
-		cmdOptions.paintExecutedInstructions = chkgroup4 & 8 ? 1 : 0;
+		cmdOptions.addCommentsControlledOperands = chkgroup3 & 1 ? 1 : 0;
+		cmdOptions.RenameTaintedFunctionNames = chkgroup3 & 2 ? 1 : 0;
+		cmdOptions.addCommentsSymbolicExpresions = chkgroup3 & 4 ? 1 : 0;
+		cmdOptions.paintExecutedInstructions = chkgroup3 & 8 ? 1 : 0;
 
 		if (cmdOptions.blacklist_path[0] != '\0'){
 			//Means that the user set a path for custom blacklisted functions
@@ -141,10 +141,8 @@ void prompt_conf_window(void){
 				"showDebugInfo: %s\n"
 				"showExtraDebugInfo: %s\n"
 				"manageSymbolicIndexing: %s\n"
-				"enableTracingAsTainted: %s\n"			
-				"automatedTainting: %s\n"
-				"taintEndOfString: %s\n"
 				"taintArgv: %s\n"
+				"taintEndOfString: %s\n"
 				"taintArgv0: %s\n"
 				"taintArgc: %s\n"
 				"taintRecv: %s\n"
@@ -162,10 +160,8 @@ void prompt_conf_window(void){
 				cmdOptions.showDebugInfo ? "true" : "false",
 				cmdOptions.showExtraDebugInfo ? "true" : "false",
 				cmdOptions.manageSymbolicIndexing ? "true" : "false",
-				cmdOptions.enableTracingAsTainted ? "true" : "false",
-				cmdOptions.automatedTainting ? "true" : "false",
-				cmdOptions.taintEndOfString ? "true" : "false",
 				cmdOptions.taintArgv ? "true" : "false",
+				cmdOptions.taintEndOfString ? "true" : "false",
 				cmdOptions.taintArgv0 ? "true" : "false",
 				cmdOptions.taintArgc ? "true" : "false",
 				cmdOptions.taintRecv ? "true" : "false",

diff --git a/Ponce/src/formConfiguration.hpp b/Ponce/src/formConfiguration.hpp
@@ -9,44 +9,36 @@ void prompt_conf_window(void);
 
 static const char form[] =
 "STARTITEM 0\n"
-//"@0:477[]\n"
 "Ponce Configuration\n\n"
 "%/"
-"<#time in seconds#Time limit before ask user\t                                  :L23:10:10>\n"
-"<#number of instructions1#Limit the number of instructions in tracing mode\t            :L21:10:10>\n"
+"<#time in seconds#Time limit before ask user (seconds)             :D1:10:10>\n"
+"<#Number of the instructions executed during tracing before ask to the user#Limit the number of instructions in tracing mode :D2:10:10>\n"
 "\n"
 // Choser between using only the tainting engine or the symbolic one
-"<#It will let you perform symbolic execution and track user controlled input#Select engine to use#Symbolic Engine:R><#It allow you to track user controlled input#Taint Engine:R>>"
-"\n"
-//
-"<#Show debug info#Debug options#"
-"Show debug info in the output windows:C10>\n"
-"<#Max debug verbosity#Show EXTRA debug info in the output windows:C16>\n"
-"<#Use 'smart' approaches to symbolic indexing problems#Manage symbolic indexing:C11>\n"
-"<#Pretty self explanatory#Enable tracing the first time something is tainted:C12>>\n"
+"<#It will let you perform symbolic execution and track user controlled input#Select engine to use#Symbolic Engine:R3>\n"
+"<#It allow you to track user controlled input#Taint Engine:R4>>\n"
 //
-"<#Try to automatically taint user input for you#Other pack#"
-"Configure automated tainting:C18>\n"
-"<#Taint the null byte from a string to taint his lenght#Taint end of string:C38>>\n"
+"<#Show debug info#Debug options#Show debug info in the output windows:C5>\n"
+"<#Max debug verbosity#Show EXTRA debug info in the output windows:C6>\n"
+"<#Use 'smart' approaches to symbolic indexing problems#Manage symbolic indexing (not implemented):C7>>\n"
 //
-"<#Auto taint argv. Will try to find the main function and taint#Tainting options#"
-"Taint argv:C29>\n"
-"<#In some cases argv[0] may be used to perform some checks#- Taint argv[0]:C19>\n"
-"<#Self explanatory#- Taint argc:C24>\n"
-"<#Taint the buffer received in every recv API call#\tTaint recv:C25>\n"
-"<#Taint the buffer read from a file#Taint fread:C26>>\n"
+"<#Auto taint argv. Will try to find the main function and taint#Tainting options#Taint argv:C8>\n"
+"<#Taint the null byte from a string to taint his lenght#- Taint end of string \\0:C9>\n"
+"<#In some cases argv[0] may be used to perform some checks#- Taint argv[0]:C10>\n"
+"<#Self explanatory#-  Taint argc:C11>\n"
+"<#Taint the buffer received in every recv API call#\tTaint recv (not implemented):C12>\n"
+"<#Taint the buffer read from a file#Taint fread (not implemented):C13>>\n"
 //
-"<#Add comments to controlled operands#IDA View expand info#"
-"Add comments with controlled operands:C69>\n"
-"<#This helps to track the tainted functions in large programms#Rename tainted function names:C89>\n"
-"<#Will add a comment for every instruction with his symbolic expression. Will dirt the IDA view.#Add comments with symbolic expresions:C70>\n"
-"<#Self explanatory#Paint executed instructions:C88>>\n"
+"<#Add comments to controlled operands#IDA View expand info#Add comments with controlled operands:C14>\n"
+"<#This helps to track the tainted functions in large programms#Rename tainted function names:C16>\n"
+"<#Will add a comment for every instruction with his symbolic expression. Will dirt the IDA view.#Add comments with symbolic expresions:C17>\n"
+"<#Self explanatory#Paint executed instructions:C18>>\n"
 //
-"<#comment#Color Tainted                 :K40:::>\n"
-"<#comment#Color Tainted Condition       :K41:::>\n"
-"<#comment#Color Executed Instruction    :K42:::>\n"
+"<#comment#Color Tainted                 :K19:::>\n"
+"<#comment#Color Tainted Condition       :K20:::>\n"
+"<#comment#Color Executed Instruction    :K21:::>\n"
 
-"<#Ponce will blacklist some functions that do not modify the passed parameters. You can select a file with the functions you want to blacklist#Blacklist file path    :f43::40:>\n"
+"<#Ponce will blacklist some functions that do not modify the passed parameters. You can select a file with the functions you want to blacklist#Blacklist file path:f22::40:>\n"
 
 "\n"
 ;

diff --git a/Ponce/src/globals.hpp b/Ponce/src/globals.hpp
@@ -83,8 +83,8 @@ extern bool hooked;
 
 //User options
 struct cmdOptionStruct{
-	uint64 limitInstructionsTracingMode = 1000;
-	uint64 limitTime = 100; //seconds
+	uint64 limitInstructionsTracingMode = 10000;
+	uint64 limitTime = 60; //seconds
 
 	//all this variables should be false and initialized in prompt_conf_window in utils.cpp
 	bool already_configured = false; // We use this variable to know if the user already configured anything or if this is the first configuration promt
@@ -100,10 +100,8 @@ struct cmdOptionStruct{
 	bool  showDebugInfo = false;
 	bool  showExtraDebugInfo = false;
 	bool  manageSymbolicIndexing = false;
-	bool  enableTracingAsTainted = false;
-	bool taintEndOfString = false;
-	bool  automatedTainting = false;
 	bool  taintArgv = false;
+	bool  taintEndOfString = false;
 	bool  taintArgv0 = false;
 	bool  taintArgc = false;
 	bool  taintRecv = false;