• Discover inputs that trigger heap operations in a binary program.
• Find inputs to achieve the desired heap layout.

• Python 3
• GCC (sudo apt install gcc g++ make)
• Capstone Engine (sudo apt install libcapstone-dev)
• cmake (sudo apt install cmake)
• LLVM (sudo apt install llvm-dev)
• zlib (sudo apt install zlib1g-dev)

It finds the main loop by analyzing the LLVM IR code, which is lifted from the binary. Users can use either RetDec or McSema as the lifter, and the prerequisites are as follows, respectively.

• RetDec

• McSema

..., and a disassembler required by McSema, like:

• IDA Pro

make
./tracer.py -o results/naive/tracer test/naive
./solver.py -o results/naive -s random results/naive/tracer/spec.py test/naive
./solver.py -o results/naive/simple -a allocator/simplemalloc/simplemalloc.so -s random results/naive/tracer/spec.py test/naive