nargs question about winafl HOT 2 CLOSED

Hi,

You should have some level of familiarity with your target function, at least in the sense that you should have general idea what the function does (see "How to select a target function" in README) and the number of arguments it takes.

In case all you have is a binary, this means you might have to do some reversing. Tools like Ida could probably tell you the number of arguments, but you should be able to figure it out with WinDbg or another tool of your choice with some work.

"can we always count on register and stack being set up immediately before the call"
Setting up the function arguments is the responsibility of the caller, so yes

"Also, what are the consequences of using the wrong number arguments passed to the target method?"
If you specify too little arguments, then some of the arguments won't be restored to their initial state between fuzzing iterations which might cause unpredictable behavior, crashes etc.
If you specify too much arguments, some register and/or stack values will be restored to their initial state even though they don't store function arguments. Most likely nothing bad will happen as a result of this.

from winafl.

"Setting up the function arguments is the responsibility of the caller, so yes"

I know that, but what I meant was, for example, if the caller calls 2 functions one after another, and uses RCX, RDX and R8 in first, but sets up only RCX and RDX after the first and before the second call, can we be sure that only those 2 arguments are passed to the second function, or is R8 being implicitly passed?

On MSDN it says that "RAX, RCX, RDX, R8, R9, R10, R11 are considered volatile and must be considered destroyed on function calls", so I would take that it means there can be no "implicit" passing of values in those registers between the function calls...

Thanks for the answer, I'm just getting started in this field, so your help is very much appreciated... :)

from winafl.