10:02 <tihmstar> the fuzzing we do is modifying a mov file
10:02 <tihmstar> then we try to open the mov file in mobileSafari hoping it will crash
10:02 <JBUni> because of the JIT compiler, right?
10:03 <tihmstar> by "fuzzing a file" we (at least i) mean modifying a file, basically randomly changing some bits
10:03 <tihmstar> *bytes
10:04 <JBUni> right, i get this
10:04 <tihmstar> we have a tool called zzuf which modifys the file for you, but since obvously there is a very low change to make MSafari crash by modifying some bytes we need to do it again and again
10:04 <tihmstar> therefore smart people around here (me included :P ) createt scripts/tools to automate this process
10:05 <tihmstar> all tools are a bit different
10:05 <JBUni> i have a question about that, actually
10:05 <tihmstar> ok just ask
10:06 <JBUni> is it possible to insert syscalls in the form of hex, and have the kernel read those and redirect to a different part of memory, etc?
10:06 <JBUni> instead of just random bytes
10:06 <tihmstar> to the mov parser?
10:06 <JBUni> yeah
10:06 <tihmstar> well that's more of a exploit
10:07 <tihmstar> first you need to know if there is a bug and how to trigger it
10:07 <JBUni> ah, and to do that, we need to find out where the parser breaks, right?
10:07 <JBUni> okay
10:07 <JBUni> gotcha
10:07 <tihmstar> then you can start looking at the bug hoping you can let it do something more like just crasjing the process, like inserting malcious code
10:07 → sock__ (was sock__-) joined ⇐ sock__ quit
10:08 <JBUni> hmmm
10:08 <tihmstar> looking at fuzzycactus for example: you give it a mov file and it automatically does following things in a loop (until the device crashes): creates a fuzzed file with zzuf, opens that file in mobilesafari, waits some time, kills safari and the loop starts from beginning obviuosly the new fuzzed file is different than the one before
10:09 <JBUni> but with a program that runs randomly like this, you're unable to keep proper track of which bugs happened
10:09 <JBUni> isn't it better to manually fuzz files?
10:09 <tihmstar> no ...
10:10 <JBUni> hmm... ok..
10:10 <tihmstar> fuzzycactus also looks for crashes and copies them into a dir
10:10 <JBUni> so we are only interested in crash logs?
10:10 <tihmstar> no ...
10:10 — JBUni facepalms
10:10 <JBUni> ok, i'll be quite, please go on
10:11 <JBUni> quiet*\
10:11 <tihmstar> it also pairs the crash to the mov file caused the crash and to the parameters were sent to zzuf to be able to recreate the file (which you actually don't need since it also copies you the fuzzed file to the dir)
10:11 <tihmstar> if you have a really good crash we are interested in your fuzzed mov file AND your original file
10:12 <tihmstar> in this case send both files and the crashlog to crakun (i think his mail was firstname.lastname@example.org but im not quite sure)
10:12 <JBUni> yeah, i know his email
10:12 <tihmstar> any questions?