Winafl reports "Target function not reached" on crash even though it is #469
Description
Hi!
I am trying to fuzz excelcnv.exe which is a part of the Microsoft office suite. Here is the ghidra decompilation of my target function:
/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
/* int __cdecl ConvMainLoop(void) */
int __cdecl ConvMainLoop(void)
{
code *pcVar1;
bool bVar2;
bool bVar3;
int iVar4;
long lVar5;
int iVar6;
SGN SVar7;
int iVar8;
CChart12Converter **ppCVar9;
undefined8 uVar10;
CChart12Converter *pCVar11;
longlong lVar12;
ConverterPrintSettings *pCVar13;
APPCORE *pAVar14;
basic_string<> *pbVar15;
basic_filebuf<> *pbVar16;
APPCORE *pAVar17;
short *this;
nothrow_t *pnVar18;
ulong uVar19;
CChart12Converter *pCVar20;
APPCORE *pAVar21;
char cVar22;
CChart12Converter *pCVar23;
ulonglong uVar24;
ThumbnailParams *pTVar25;
ValidDataCategories VVar26;
longlong unaff_GS_OFFSET;
undefined auStackY_ee8 [32];
bool local_eb8;
char local_eb7;
ulong local_eb4;
char local_eb0;
ulong local_ea8;
undefined4 uStack_ea4;
CChart12Converter *local_ea0;
CExcel12Converter *local_e98;
CChart12Converter *local_e90;
char *local_e88;
CChart12Converter *local_e80;
undefined4 local_e78;
undefined local_e74;
undefined4 local_e70;
undefined8 local_e68;
undefined4 local_e60;
undefined4 local_e5c;
undefined8 local_e58;
tagMSG local_e50 [56];
longlong local_e18;
basic_filebuf<> local_e10 [264];
undefined **local_d08;
char *local_d00;
APPCORE *local_cf8;
undefined2 local_cf0;
undefined8 local_ce8;
undefined8 uStack_ce0;
undefined8 local_cd8;
undefined8 uStack_cd0;
undefined8 local_cc8;
undefined8 uStack_cc0;
undefined8 local_cb8;
undefined8 uStack_cb0;
basic_string<> local_ca8 [32];
undefined2 local_c88 [264];
undefined4 local_a78;
nothrow_t local_a74 [520];
ulong local_86c;
wchar_t local_868 [257];
undefined2 local_666;
wchar_t local_458 [264];
wchar_t local_248 [264];
ulonglong local_38;
local_38 = __security_cookie ^ (ulonglong)auStackY_ee8;
pCVar23 = (CChart12Converter *)0x0;
local_ea8 = 0;
local_e98 = (CExcel12Converter *)0x0;
local_ea0 = (CChart12Converter *)0x0;
local_eb0 = '\0';
local_eb8 = false;
std::basic_string<>::basic_string<>
((basic_string<> *)&local_cc8,L"Microsoft.Office.Graphics.Model3D.EngineSupported");
Mso::AB::Test::SetOverride<bool>((basic_string<> *)&local_cc8,&local_eb8);
pbVar15 = (basic_string<> *)&local_cc8;
std::basic_string<>::_Tidy_deallocate(pbVar15);
FUninstallBootExceptionHandler();
FInstallGeneralExceptionHandler();
bVar2 = APPCORE::FConverterSupport((APPCORE *)pbVar15,0x19);
bVar2 = !bVar2;
if (bVar2) {
ppCVar9 = &local_e90;
local_e80 = (CChart12Converter *)0x0;
}
else {
ppCVar9 = (CChart12Converter **)CreateConverterRootActivity(&local_ea8);
local_e80 = *ppCVar9;
}
*ppCVar9 = (CChart12Converter *)0x0;
pCVar20 = local_e90;
if ((bVar2) && (local_e90 != (CChart12Converter *)0x0)) {
Ordinal_18876(local_e90);
Ordinal_53248(pCVar20);
}
if ((!bVar2) && ((ScopeHolder *)CONCAT44(uStack_ea4,local_ea8) != (ScopeHolder *)0x0)) {
Mso::ActivityScope::ScopeHolder::`scalar_deleting_destructor'
((ScopeHolder *)CONCAT44(uStack_ea4,local_ea8),1);
}
if (*(int *)(*(longlong *)((APPCORE *)**(undefined8 **)(unaff_GS_OFFSET + 0x58) + 0x10) + 0x6ec )
!= 0) {
local_eb4 = 0;
local_ea8 = 0;
iVar4 = CoInitialize();
if (-1 < iVar4) {
lVar5 = HrRegisterExcelConverterComponent(&local_e98,&local_eb4);
uVar19 = 0;
if ((-1 < lVar5) &&
(lVar5 = HrRegisterChartConverterComponent(&local_ea0,&local_ea8), pCVar23 = local_ea0,
uVar19 = local_ea8, -1 < lVar5)) {
iVar4 = GetMessageW(local_e50,0,0,0);
uVar19 = local_ea8;
pCVar23 = local_ea0;
while (local_ea8 = uVar19, local_ea0 = pCVar23, iVar4 != 0) {
if (iVar4 != -1) {
TranslateMessage(local_e50);
DispatchMessageXl(local_e50);
}
iVar4 = GetMessageW(local_e50,0,0,0);
uVar19 = local_ea8;
pCVar23 = local_ea0;
}
}
if (local_eb4 != 0) {
CoRevokeClassObject();
}
if (local_e98 != (CExcel12Converter *)0x0) {
(**(code **)(*(longlong *)local_e98 + 0x10))();
}
if (uVar19 != 0) {
CoRevokeClassObject();
}
if (pCVar23 != (CChart12Converter *)0x0) {
(**(code **)(*(wchar_t **)pCVar23 + 8))();
}
}
CoUninitialize();
goto LAB_141af0778;
}
bVar2 = APPCORE::FConverterSupport((APPCORE *)**(undefined8 **)(unaff_GS_OFFSET + 0x58),0x15);
if (!bVar2) goto LAB_141af0778;
local_eb8 = false;
local_e90 = (CChart12Converter *)0x0;
local_e98 = (CExcel12Converter *)0x0;
local_ea8 = 0;
local_eb7 = '\0';
local_e78 = 1;
local_e74 = 1;
local_e70 = 0;
local_e68 = 0x3ff0000000000000;
local_e60 = 0xffffffff;
local_e5c = 0;
local_e58 = 0;
memset(local_248,0,0x202);
DAT_14299a808 = 0;
DAT_14299a810 = 0;
uVar10 = GetCommandLineW();
pCVar11 = (CChart12Converter *)CommandLineToArgvW(uVar10,&local_eb4);
pCVar20 = pCVar23;
local_ea0 = pCVar11;
if (pCVar11 == (CChart12Converter *)0x0) {
LAB_141af0122:
bVar2 = false;
VVar26 = 4;
iVar6 = 10;
XlsDiag::SendTraceTag
(0x26c159c,0x354,10,4,
L"ConvMain: Basic arguments were not valid. format should follow: \'-in <in_path> -ou t <out_path>\' etc."
);
}
else {
uVar10 = 4;
uVar24 = 0x32;
XlsDiag::SendTraceTag
(0x26c159a,0x354,0x32,4,L"ConvMain: starting command line parse with %d arguments" );
bVar2 = true;
iVar4 = 1;
if ((int)local_eb4 < 1) goto LAB_141af0122;
do {
iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-writeSuccessFile");
if (iVar6 == 0) {
iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-quickExitPostConversion");
if (iVar6 == 0) {
iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-oice");
if ((((iVar6 != 0) || (iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-oics"), iVar6 != 0)) ||
(iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-bcs"), iVar6 != 0)) &&
(iVar4 + 1 < (int)local_eb4)) {
local_e90 = *(CChart12Converter **)(pCVar11 + 8);
pCVar23 = *(CChart12Converter **)(pCVar11 + 0x10);
pAVar21 = (APPCORE *)wcsrchr(pCVar23,0x2e);
if (pAVar21 != (APPCORE *)0x0) {
uVar24 = 1;
SVar7 = SgnSzCompare((wchar_t *)pAVar21,L".xltx",1);
if (SVar7 == 0) {
local_ea8 = 4;
}
else {
uVar24 = 1;
SVar7 = SgnSzCompare((wchar_t *)pAVar21,L".xlam",1);
if (SVar7 == 0) {
local_ea8 = 3;
}
else {
uVar24 = 1;
pAVar17 = pAVar21;
SVar7 = SgnSzCompare((wchar_t *)pAVar21,L".xlsm",1);
if ((SVar7 == 0) && (bVar3 = APPCORE::FConverterSupport(pAVar17,2), bVar3)) {
local_ea8 = 2;
}
else {
uVar24 = 1;
pAVar17 = pAVar21;
SVar7 = SgnSzCompare((wchar_t *)pAVar21,L".ods",1);
if ((SVar7 == 0) && (bVar3 = APPCORE::FConverterSupport(pAVar17,0xf), bVar3)) {
local_ea8 = 8;
ConverterContext::s_fConvertingToODF = 1;
}
else {
uVar24 = 1;
pAVar17 = pAVar21;
SVar7 = SgnSzCompare((wchar_t *)pAVar21,L".csv",1);
if ((SVar7 == 0) && (bVar3 = APPCORE::FConverterSupport(pAVar17,0x14), bVar 3))
{
local_ea8 = 9;
ConverterContext::s_fConvertingToCSV = true;
}
else {
uVar24 = 1;
pAVar17 = pAVar21;
SVar7 = SgnSzCompare((wchar_t *)pAVar21,L".xls*",1);
if ((SVar7 == 0) && (bVar3 = APPCORE::FConverterSupport(pAVar17,2), bVar3 ))
{
ConverterContext::s_fDynamicConversion = 1;
}
else {
pAVar17 = pAVar21;
SVar7 = SgnSzCompare((wchar_t *)pAVar21,L".pdf",1);
if ((SVar7 == 0) && (bVar3 = APPCORE::FConverterSupport(pAVar17,6), bVa r3)
) {
pCVar13 = ConverterContext::PConvPrintSettings();
uVar10 = 4;
uVar24 = 0x32;
XlsDiag::SendTraceTag
(0x650753,0x354,0x32,4,
L"ConverterPrintSettings::SetPrintingToPdf - Converter is pri nting to PDF."
);
ConverterPrintSettings::InitDefaultPaperSize(pCVar13);
*pCVar13 = (ConverterPrintSettings)0x1;
local_ea8 = 7;
}
else {
uVar24 = 1;
SVar7 = SgnSzCompare((wchar_t *)pAVar21,L".xlsx",1);
if (SVar7 == 0) {
ConverterContext::s_fStripVBAProject =
FSzEqual(*(wchar_t **)pCVar11,L"-oics");
}
else {
uVar24 = 1;
SVar7 = SgnSzCompare((wchar_t *)pAVar21,L".png",1);
if (SVar7 == 0) {
local_e74 = 1;
ConverterContext::s_fGeneratingThumbnail = true;
}
else {
uVar24 = 1;
SVar7 = SgnSzCompare((wchar_t *)pAVar21,L".jpg",1);
if (SVar7 == 0) {
local_e74 = 0;
ConverterContext::s_fGeneratingThumbnail = true;
}
else {
local_d08 = &Mso::Diagnostics::ClassifiedStructuredObject<>::
`vftable';
local_d00 = "Input file extension";
local_cf0 = 0x20;
uStack_ce0 = 0;
local_cd8 = 0;
uStack_cd0 = 7;
local_ce8 = 0;
local_e88 =
"Unknown output extension passed to converter, defaulting to xlsx! "
;
uVar24 = 10;
local_cf8 = pAVar21;
Mso::Diagnostics::SendDiagnosticTrace<>
(0x64e405,0x354,10,(ValidDataCategories)uVar10,
(StringLiteral<char> *)&local_e88,
(ClassifiedStructuredObject<> *)&local_d08);
std::basic_string<>::_Tidy_deallocate
((basic_string<> *)&local_ce8);
}
}
}
}
}
}
}
}
}
}
}
}
pCVar13 = ConverterContext::PConvPrintSettings();
if (*pCVar13 != (ConverterPrintSettings)0x0) {
pCVar13 = ConverterContext::PConvPrintSettings();
uVar24 = (ulonglong)local_eb4;
bVar2 = ConverterPrintSettings::FParseFromCmdLineArgs
(pCVar13,(wchar_t **)local_ea0,local_eb4);
}
iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-repair");
if (iVar6 != 0) {
DAT_1429c30f8 = '\x01';
if ((int)local_eb4 <= iVar4) {
bVar2 = false;
VVar26 = 4;
iVar6 = 10;
XlsDiag::SendTraceTag
(0x26c159b,0x354,10,4,
L"ConvMain: Repair arguments was not valid. no file path followed the \'-re pair\' flag"
);
break;
}
local_e98 = *(CExcel12Converter **)(pCVar11 + 8);
}
pAVar21 = *(APPCORE **)pCVar11;
iVar6 = FSzEqual((wchar_t *)pAVar21,L"-k");
if ((iVar6 != 0) && (iVar4 < (int)local_eb4)) {
pAVar21 = *(APPCORE **)(pCVar11 + 8);
iVar8 = OpenAndReadKey((wchar_t *)pAVar21);
VVar26 = (ValidDataCategories)uVar10;
iVar6 = (int)uVar24;
if (iVar8 != 0) goto LAB_141aefd2b;
LAB_141af00fa:
bVar2 = false;
break;
}
LAB_141aefd2b:
bVar3 = APPCORE::FConverterSupport(pAVar21,0x12);
if (((bVar3) &&
(iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-passwordnamedpipeid"), iVar6 != 0)) &&
(iVar4 < (int)local_eb4)) {
iVar8 = OpenPipeAndReadPassword(*(wchar_t **)(pCVar11 + 8),local_248);
VVar26 = (ValidDataCategories)uVar10;
iVar6 = (int)uVar24;
if (iVar8 == 0) goto LAB_141af00fa;
}
iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-flightodfrepairenabled");
if (iVar6 != 0) {
ConverterContext::s_fConverterOdfFileRepairEnabled = true;
}
iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-mdp");
if ((iVar6 != 0) && (iVar4 < (int)local_eb4)) {
ConverterContext::s_wzPathToWriteMetadataFile = *(wchar_t **)(pCVar11 + 8);
ConverterContext::s_fWriteMetadataFile = true;
}
iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-keepPDFProtection");
if (iVar6 != 0) {
ConverterContext::s_fKeepPDFProtection = true;
}
iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-clpTenantId");
if ((iVar6 != 0) && (iVar4 < (int)local_eb4)) {
ConverterContext::s_wzTenantId = *(wchar_t **)(pCVar11 + 8);
}
iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-clpSupportsOfficeClientCoauthoring");
if (iVar6 != 0) {
ConverterContext::s_fSupportsOfficeClientCoauthoring = true;
}
iVar6 = FSzEqual(*(wchar_t **)pCVar11,L"-allowMismatchedFileFormatConversionForBCS");
if (iVar6 != 0) {
ConverterContext::s_fAllowMismatchedFileFormatConversionForBCS = true;
}
}
else {
uVar10 = 4;
uVar24 = 0x32;
XlsDiag::SendTraceTag
(0x1e623149,0x354,0x32,4,L"ConvMain: Exit post conversion switch engaged.");
local_eb8 = true;
}
}
else {
uVar10 = 4;
uVar24 = 0x32;
XlsDiag::SendTraceTag
(0x1e61735e,0x354,0x32,4,L"ConvMain: write temp file on successful conversion." );
local_eb0 = '\x01';
}
VVar26 = (ValidDataCategories)uVar10;
iVar6 = (int)uVar24;
pCVar11 = pCVar11 + 8;
bVar3 = iVar4 < (int)local_eb4;
iVar4 = iVar4 + 1;
} while (bVar3);
pCVar20 = local_e90;
if (((local_e90 == (CChart12Converter *)0x0) || (pCVar23 == (CChart12Converter *)0x0)) ||
((DAT_1429c30f8 != '\0' && (local_e98 == (CExcel12Converter *)0x0)))) goto LAB_141af0122;
}
pCVar11 = local_ea0;
if (ConverterContext::s_fGeneratingThumbnail != false) {
pTVar25 = (ThumbnailParams *)&local_e78;
bVar2 = FParseCmdLineArgsThumbnail((wchar_t **)local_ea0,local_eb4,pTVar25);
iVar6 = (int)pTVar25;
}
cVar22 = local_eb7;
if ((pCVar20 != (CChart12Converter *)0x0) &&
(lVar12 = wcsrchr(pCVar20), cVar22 = local_eb7, lVar12 != 0)) {
iVar6 = 1;
iVar4 = Ordinal_55665(lVar12);
if (iVar4 == 0) {
iVar6 = 1;
iVar4 = Ordinal_55665(lVar12);
cVar22 = local_eb7;
if (iVar4 == 0) goto LAB_141af01c3;
}
cVar22 = '\x01';
}
LAB_141af01c3:
lVar12 = **(longlong **)(unaff_GS_OFFSET + 0x58);
if ((((*(int *)(*(longlong *)(lVar12 + 0x10) + 0xb9c) != 0) &&
(pCVar13 = ConverterContext::PConvPrintSettings(), *pCVar13 == (ConverterPrintSettings)0x 0))
&& (cVar22 == '\0')) &&
((DAT_1429c30f8 == '\0' && (ConverterContext::s_fConvertingToCSV == false)))) {
VVar26 = 4;
iVar6 = 10;
XlsDiag::SendTraceTag
(0x64e406,0x354,10,4,
L"ConvMain: Using fake LCIDs is only supported for printing to PDF or converting CSV/ SKV files."
);
bVar2 = false;
}
if ((*(int *)(*(longlong *)(lVar12 + 0x10) + 0xba8) != 0) &&
(pCVar13 = ConverterContext::PConvPrintSettings(), *pCVar13 == (ConverterPrintSettings)0x0) ) {
VVar26 = 4;
iVar6 = 10;
XlsDiag::SendTraceTag
(0x2169b596,0x354,10,4,
L"ConvMain: Using fake Hculture is only supported for printing to PDF.");
bVar2 = false;
}
if (bVar2 == false) {
local_cf8 = (APPCORE *)GetCommandLineW();
local_d08 = &Mso::Diagnostics::ClassifiedStructuredObject<>::`vftable';
local_d00 = "Command line arguments";
local_cf0 = 0x20;
uStack_ce0 = 0;
local_cd8 = 0;
uStack_cd0 = 7;
local_ce8 = 0;
local_e88 = "Invalid command line arguments passed to converter";
Mso::Diagnostics::SendDiagnosticTrace<>
(0x64e409,0x354,10,VVar26,(StringLiteral<char> *)&local_e88,
(ClassifiedStructuredObject<> *)&local_d08);
std::basic_string<>::_Tidy_deallocate((basic_string<> *)&local_ce8);
ConverterContext::s_scfcConversionError = 0x100000;
}
else {
pCVar13 = ConverterContext::PConvPrintSettings();
pAVar21 = (APPCORE *)0x0;
if (*pCVar13 != (ConverterPrintSettings)0x0) {
iVar6 = 4;
EnumFaceNames((wchar_t *)0x0,(FLST *)0x0,4,VVar26);
}
local_458[0] = L'\0';
if (0 < (int)local_eb4) {
AddOfficeSymbolFont(*(wchar_t **)pCVar11,local_458,iVar6);
}
local_a78 = 0;
if (local_248[0] == L'\0') {
local_868[0] = L'\0';
}
else {
CchSzToSt(local_248,local_868,0x101);
}
local_666 = 0;
local_86c = local_ea8;
local_c88[0] = 0;
pnVar18 = local_a74;
MsoWzCopy((wchar_t *)local_e90,(wchar_t *)pnVar18,0x104);
pAVar14 = (APPCORE *)operator_new(0x38,pnVar18);
pAVar17 = pAVar21;
if (pAVar14 != (APPCORE *)0x0) {
*(undefined ***)pAVar14 = &CExcel12Converter::`vftable'{for_`IExcel12Converter'};
*(undefined ***)(pAVar14 + 8) = &CExcel12Converter::`vftable'{for_`IClassFactory'};
*(longlong *)(pAVar14 + 0x28) = 0;
*(longlong *)(pAVar14 + 0x30) = 0;
*(longlong *)(pAVar14 + 0x10) = 0;
*(longlong *)(pAVar14 + 0x20) = 0;
pAVar17 = pAVar14;
}
if (pAVar17 != (APPCORE *)0x0) {
iVar4 = (**(code **)(*(longlong *)pAVar17 + 0x18))(pAVar17);
if (-1 < iVar4) {
XlsDiag::SendTraceTag
(0x64e407,0x354,0x32,4,L"ConvMain: Calling converter to begin conversion.");
if (ConverterContext::s_fGeneratingThumbnail != false) {
*(undefined4 **)(pAVar17 + 0x28) = &local_e78;
}
bVar2 = InCellControlsFlighting::FForceInCellControlsPrintingInConverter();
if (bVar2) {
*(wchar_t **)(pAVar17 + 0x30) = local_458;
}
iVar4 = (**(code **)(*(longlong *)pAVar17 + 0x28))(pAVar17);
pAVar14 = pAVar17;
(**(code **)(*(longlong *)pAVar17 + 0x30))();
if (-1 < iVar4) {
bVar2 = APPCORE::FConverterSupport(pAVar14,3);
if (bVar2) {
if (ConverterContext::s_fDynamicallyConvertedToXlsm == 0) {
pAVar14 = (APPCORE *)0xffffffffffffffff;
if (pCVar23 != (CChart12Converter *)0x0) {
do {
pAVar21 = pAVar14 + 1;
pAVar14 = pAVar21;
} while (*(short *)(pCVar23 + (longlong)pAVar21 * 2) != 0);
}
*(undefined2 *)(pCVar23 + (longlong)(int)pAVar21 * 2 + -2) = 0x78;
}
else {
pAVar14 = (APPCORE *)0xffffffffffffffff;
if (pCVar23 != (CChart12Converter *)0x0) {
do {
pAVar21 = pAVar14 + 1;
pAVar14 = pAVar21;
} while (*(short *)(pCVar23 + (longlong)pAVar21 * 2) != 0);
}
*(undefined2 *)(pCVar23 + (longlong)(int)pAVar21 * 2 + -2) = 0x6d;
XlsDiag::SendTraceTag
(0x65d321,0x354,0x32,4,
L"ConvMain: Setting \'error\' code to scfcDynamicXlsmConversion to signal t hat we dynamically converted to xlsm."
);
ConverterContext::s_scfcConversionError = 0xc0000;
}
}
XlsDiag::SendTraceTag(0x1e3d60db,0x354,0x32,4,L"ConvMain: Copying file.");
this = local_c88;
CopyFileW(this,pCVar23,0);
if (DAT_1429c30fa != 0) {
this = &DAT_1429c30fa;
CopyFileW(&DAT_1429c30fa,local_e98,0);
}
bVar2 = APPCORE::FConverterSupport((APPCORE *)this,0x1a);
if ((bVar2) && (ConverterContext::s_fWriteMetadataFile != false)) {
ConverterContext::WriteMetadataFile();
}
iVar4 = 4;
XlsDiag::SendTraceTag
(0x64e408,0x354,0x32,4,L"ConvMain: Conversion completed successfully.");
if (local_eb0 != '\0') {
uStack_cc0 = 0;
local_cb8 = 0;
uStack_cb0 = 7;
local_cc8 = 0;
iVar6 = std::basic_string<>::basic_string<>((basic_string<> *)&local_d08,L".tmp");
pbVar15 = (basic_string<> *)std::operator+<>(local_ca8,pCVar23);
std::basic_string<>::operator=((basic_string<> *)&local_cc8,pbVar15);
std::basic_string<>::_Tidy_deallocate(local_ca8);
std::basic_string<>::_Tidy_deallocate((basic_string<> *)&local_d08);
std::basic_ofstream<>::basic_ofstream<>
((basic_ofstream<> *)&local_e18,(basic_string<> *)&local_cc8,iVar6,iVar4);
std::operator<<<>((basic_ostream<> *)&local_e18,
"Temp file created for successful conversions.");
pbVar16 = std::basic_filebuf<>::close(local_e10);
if (pbVar16 == (basic_filebuf<> *)0x0) {
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
(local_e10 + (longlong)*(int *)(local_e18 + 4) + -8);
}
std::basic_ofstream<>::`vbase_destructor'((basic_ofstream<> *)&local_e18);
std::basic_string<>::_Tidy_deallocate((basic_string<> *)&local_cc8);
}
}
}
if (local_eb8 != false) {
XlsDiag::SendTraceTag
(0x1e623148,0x354,0x32,4,L"ConvMain: Exiting via post conversion switch.");
uVar10 = GetCurrentProcess();
TerminateProcess(uVar10);
}
Ordinal_53248(pAVar17);
}
if ((local_458[0] != L'\0') && (iVar4 = RemoveFontResourceExW(local_458), iVar4 == 0)) {
XlsDiag::SendTraceTag
(0x258e8e0,0x354,10,4,L"ConvMain: Unable to uninstall Office Symbol font.");
}
}
if (pCVar11 != (CChart12Converter *)0x0) {
LocalFree(pCVar11);
}
if (DAT_14299a808 != 0) {
Ordinal_53248();
}
LAB_141af0778:
if (local_e80 != (CChart12Converter *)0x0) {
Mso::ActivityScope::ScopeHolder::`scalar_deleting_destructor'((ScopeHolder *)local_e80,1);
}
local_ea8 = 0;
lVar5 = HrDoQuit((OPER **)0x0,0,0,(int *)&local_ea8);
if (-1 < lVar5) {
iVar4 = __security_check_cookie(local_38 ^ (ulonglong)auStackY_ee8);
return iVar4;
}
CrashOrDoJmpHr(1,*(ENV **)(*(longlong *)(**(longlong **)(unaff_GS_OFFSET + 0x58) + 0x10) + 0x15 0),
lVar5,0x1f107701);
pcVar1 = (code *)swi(3);
iVar4 = (*pcVar1)();
return iVar4;
}
```
Now, because the target function can not exit during execution, I patched the call to HrDoQuit out and made the `if (-1 < lVar5)` an unconditional jump, because I always want to return succesfully. I accomplished this using this script here:
```
#!/bin/sh
'''
141af0797 45 33 c0 XOR R8D ,R8D
141af079a 33 d2 XOR EDX ,EDX
141af079c 33 c9 XOR ECX ,ECX
141af079e e8 dd c9 CALL HrDoQuit long HrDoQuit(OPER * * param_1,
c2 fe
141af07a3 85 c0 TEST EAX ,EAX
141af07a5 78 3a JS LAB_141af07e1
141af07a7 41 f7 d6 NOT R14D
141af07aa 41 c1 ee SHR R14D ,0x1f
1f
141af07ae 41 8b c6 MOV EAX ,R14D
'''
ORIG_BYTES = "45 33 c0 33 d2 33 c9 e8 dd c9 c2 fe 85 c0 78 3a 41 f7 d6"
ORIG_BYTES = ORIG_BYTES.replace(" ", "") # Remove spaces.
# Now convert to actual bytes
ORIG_BYTES = bytes.fromhex(ORIG_BYTES)
NEW_BYTES = "45 33 c0 33 d2 33 c9 90 90 90 90 90 85 c0 90 90 41 f7 d6"
NEW_BYTES = NEW_BYTES.replace(" ", "") # Remove spaces.
# Now convert to actual bytes
NEW_BYTES = bytes.fromhex(NEW_BYTES)
INPUT_FILENAME = "input_binary.exe"
OUTPUT_FILENAME = "excelcnv_output.exe"
def xxd(data: bytes, width: int = 16):
for i in range(0, len(data), width):
chunk = data[i:i+width]
hex_bytes = ' '.join(f"{b:02x}" for b in chunk)
ascii_bytes = ''.join((chr(b) if 32 <= b < 127 else '.') for b in chunk)
print(f"{i:08x} {hex_bytes:<{width*3}} {ascii_bytes}")
def patch():
fh = open(INPUT_FILENAME, "rb")
orig_data = fh.read()
fh.close()
offset_stuff = 0x1af0797 # Offset into the thing...
how_many = 0x30
the_buffer = orig_data[offset_stuff:offset_stuff+how_many]
xxd(the_buffer)
assert ORIG_BYTES in orig_data
count = orig_data.count(ORIG_BYTES)
print("Here is the count: "+str(count))
assert count == 1 # Should only be one instance of such bytestring
new_data = orig_data.replace(ORIG_BYTES, NEW_BYTES)
fh = open(OUTPUT_FILENAME, "wb")
fh.write(new_data)
fh.close()
return
if __name__=="__main__":
patch()
exit(0)
```
and now the function returns. However, when trying to fuzz with the next command line:
```
C:\Users\elsku\actual_winafl\winafl\build64\bin\Release\afl-fuzz.exe -T 100000 -d -i corpus -o findings -y -t 600000 -f fuzz_input.xlsx -- -instrument_module excelcnv.exe -generate_unwind -stack_offset 1024 -iterations 1000000 -target_module excelcnv.exe -target_offset 0x1aef8a0 -nargs 0 -persist -loop -- "C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe" -nme -oice "C:\Users\elsku\fuzz_excelcnv\fuzz_input.xlsx" "C:\Users\elsku\fuzz_excelcnv\output.xls" -log "C:\Users\elsku\fuzz_excelcnv\log.txt"
```
it reports this error:
```
[+] You have 12 CPU cores with average utilization of 0%.
[+] Try parallel jobs - see afl_docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[+] Process affinity is set to 1.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'corpus'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...
Exception at address 00007FFF326F950D
Access address: 0000000000000000
[!] WARNING: Target function not reached, retrying with a clean process
Exception at address 00007FFF326F950D
Access address: 0000000000000000
[-] PROGRAM ABORT : Process crashed before reaching the target method
Location : tinyinst_run(), C:\Users\elsku\actual_winafl\winafl\tinyinst_afl.cpp:113
```
now, the output without patching the call to the `HrDoQuit` looks like this:
```
[+] You have 12 CPU cores with average utilization of 0%.
[+] Try parallel jobs - see afl_docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[+] Process affinity is set to 1.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'corpus'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...
Instrumented module excelcnv.exe, code size: 36737024
[!] WARNING: Process exit during target function
[-] The program took more than 600000 ms to process one of the initial test cases.
In WinAFL, this error could also mean incorrect instrumentation params.
Please make sure instrumentation runs correctly using the debug mode
(see the README) before attempting to run afl-fuzz.
[-] PROGRAM ABORT : Test case 'id_000000' results in a timeout
Location : perform_dry_run(), C:\Users\elsku\actual_winafl\winafl\afl-fuzz.c:3254
```
Therefore the original message of `Target function not reached` is incorrect, since the crash happens only after returning from the target function, not inside of it. This misleads developers.