[gtrans]
In this tutorial I’ll be detailing the process used to develop a Peach Pit for the RAR file format. I’ll also be discussing the use of Fixups and the steps required to implement your own custom Fixup. This article is intended to build upon the skills described in my first article so if you haven’t read it, I highly recommend doing so before continuing. You can find that article here. With that said, the following will assume that you have working level knowledge of the Peach Pit format.

Again, I’d like to thank Mike Eddington and the rest of the Peach community for such a great product. Make sure you check out the Peach project page and the Peach Google Group.

A quick update, after posting this article I realized that Mike also has a very informative section on extending peach with custom fixups. You can find that article here.

Getting Started

To begin, let’s grab a copy of the most recent RAR tech note available here. Please note that since the tech note does not fully describe the specification, some of the information contained in this Pit has been enumerated from the UnRAR source, 010 RAR Binary Template, and other sources.

Moving right along we see that the specification is defined as a series of block-like structures, each of which contains several recurring elements. As we are unable to tell which order some of these blocks will occur, we will wrap all blocks in a choice element. Let’s first begin by creating the block structure for the “Marker Block”.

	<Choice maxOccurs="1000">
	<!-- Marker block ( MARK_HEAD ) -->
		<Block name="MarkerBlock">
			<String name="MarkHeadCRC32" valueType="hex" value="5261" token="true" mutable="false">
				<Hint name="NumericalString" value="true"/>
			</String>				
			<Number name="MarkHeadType" size="8" endian="little" signed="false" value="114" token="true" mutable="false"/>
			<String name="MarkHeadFlags" valueType="hex" value="211A" token="true" mutable="false">
				<Hint name="NumericalString" value="true"/>
			</String>
			<Number name="MarkHeadSize" size="16" endian="little" signed="false" value="7" token="true" mutable="false"/>
		</Block>
	</Choice>

Here you can see that we’ve defined 4 elements, all of which, according to the specification, will contain static values. As such, I’ve defined each element as ‘token=”true”‘ and ‘mutable=”false”‘. Moving right along, we’ll also create the structure for our next block.

The “Main Head” block contains 6 elements. These elements are well-defined in the technote. The basic structure of this block should look like the following.

      <!--  Archive header ( MAIN_HEAD ) -->
        <Block name="ArchiveHeader">
        <Number name="ArchiveHeadCRC16" size="16" endian="little" signed="false" mutable="false"/>
        <Block name="ArchiveHeaderData">		
          <String name="ArchiveHeadType" valueType="hex" value="73" token="true" mutable="false">
            <Hint name="NumericalString" value="true"/>
          </String>
          <Flags name="HeadFlags" size="16">
            <Flag name="VolumeAttribute" position="0" size="1"/> <!-- 0x0001 -->
            <Flag name="ArchiveLockAttribute" position="2" size="1"/> <!-- 0x0004 -->
            <Flag name="SolidAttribute" position="3" size="1"/> <!-- 0x0008 -->
            <Flag name="VolumeNamingScheme" position="4" size="1"/> <!-- 0x0010 -->
            <Flag name="AuthenticityInformation" position="5" size="1"/> <!-- 0x0020 -->
            <Flag name="RecoveryRecord" position="6" size="1"/> <!-- 0x0040 --> 
            <Flag name="EncryptedBlockHeaders" position="7" size="1"/> <!-- 0x0080 -->
            <Flag name="FirstVolume" position="7" size="1"/> <!-- 0x0100 -->
            <Flag name="Internal1" position="9" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal2" position="10" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal3" position="11" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal4" position="12" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal5" position="13" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal6" position="14" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal7" position="15" size="1" /> <!-- Internal Use Only -->
            </Flags>
            <Number name="HeadSize" size="16" endian="little" signed="false">
              <Relation type="size" of="ArchiveHeader"/>
            </Number>
            <Number name="Reserved1" size="16" endian="little" signed="false"/>
            <Number name="Reserved2" size="32" endian="little" signed="false"/>
          </Block>
        </Block>

Now again, the structure of this block should be fairly straight-forward. However, we will need to discuss the “ArchiveHeadCRC16” element in further detail.

The ArchiveHeadCRC16 in addition to several other elements present in the other blocks, provides a CRC checksum of all data in the block excluding itself of course. In most cases, if the CRC is incorrect, the application will discard the archive as corrupt and exit. This means that as we fuzz certain elements and blocks, we will need to update the CRC checksum so that the file is not discarded. Luckily, we can use a Fixup to accomplish this.

Fixups

***I briefly discussed Fixups in part 1, however I’ll reiterate that definition here.

Fixups allow us to perform 1 way modifications of elements. Typically these are used in preparation for a transformer. In this case, we’ll use a Fixup to monitor an element or block, perform a CRC32 checksum of that element and output the 2 low order bytes of that checksum. More on this in a bit.

Fixup Parameters

  • class
    • There really is only 1 universal Fixup parameter, and that’s “class”. This defines the actual Fixup you want to apply. A full list of available Fixup’s can be found here.


Typically, a CRC32 checksum is written as a 4-byte value. In these cases, we can use the CRC32 Fixup that comes with the Peach framework. However, in several instances with the RAR file format, CRC32 checksums are written as 2-byte values. Because of this, we will need to generate the full, 4-byte CRC32 but only output the 2 low order bytes. Unfortunately for us, the standard Fixup will not do in these cases.

Creating A Custom Fixup

Thankfully for us, we only need to make a slight modification to the current CRC32 Fixup in order for this to work. Let’s examine this first before we attempt to write our own.

The CRC32 checksum is located in C:(Path to Peach InstallationPeachFixupschecksums.py.

class Crc32Fixup(Fixup): 
''' 
Standard CRC32 as defined by ISO 3309.  Used by PNG, zip, etc. 
''' 

def __init__(self, ref): 
     Fixup.__init__(self) 
     self.ref = ref 

def fixup(self): 
     self.context.defaultValue = "0" 
     stuff = self._findDataElementByName(self.ref).getValue() 
     if stuff == None: 
       raise Exception("Error: Crc32Fixup was unable to locate [%s]" % self.ref) 

     crc = zlib.crc32(stuff) 
     if crc < 0: 
       crc = ~crc ^ 0xffffffff 

     return crc

The example above is fairly simple. Peach stores the value of the element in which the CRC32 Fixup is applied in the variable “stuff”. It then applies zlib.crc32 to “stuff” and outputs the result. Since Peach is already calculating the value for us, we only need to modify the value of “stuff” to return the 2 low order bytes. The following Fixup will handle this for us nicely.

import zlib 
from Peach.fixup import Fixup 

class Crc32LowOrdFixup(Fixup): 
        ''' 
        Standard CRC32 as defined by ISO 3309.  Used by PNG, zip, etc. 
        ''' 
        def __init__(self, ref): 
                Fixup.__init__(self) 
                self.ref = ref 
        def fixup(self): 
                self.context.defaultValue = "0" 
                stuff = self._findDataElementByName(self.ref).getValue() 
                if stuff == None: 
                        raise Exception("Error: Crc32Fixup was unable to locate [%s]" % self.ref) 
                crc = zlib.crc32(stuff) 
                crc = crc & 0xffff 
                if crc < 0: 
                        crc = ~crc ^ 0xffffffff 
                return crc

Let’s go ahead and save this as custom.py and store it in the same directory as our Pit.

Before we move on, we’ll also need to add two lines to our Pit that’ll let Peach know where to look for our custom Fixup.

<Peach version="1.0">
  <!-- Custom Fixup -->
  <PythonPath path="c:\svn-peach\"/>
  <Import import="custom" />
  <Include ns="default" src="file:defaults.xml"/>

Good. Now the only thing left to do is apply our Fixup to the element. Your final block should look as follows:

      <!--  Archive header ( MAIN_HEAD ) -->
        <Block name="ArchiveHeader">
        <Number name="ArchiveHeadCRC16" size="16" endian="little" signed="false" mutable="false">
          <Fixup class="custom.Crc32LowOrdFixup">
            <Param name="ref" value="ArchiveHeaderData"/>
          </Fixup>
        </Number>
        <Block name="ArchiveHeaderData">
          <String name="ArchiveHeadType" valueType="hex" value="73" token="true" mutable="false">
            <Hint name="NumericalString" value="true"/>
          </String>
          <Flags name="HeadFlags" size="16">
            <Flag name="VolumeAttribute" position="0" size="1"/> <!-- 0x0001 -->
            <Flag name="ArchiveLockAttribute" position="2" size="1"/> <!-- 0x0004 -->
            <Flag name="SolidAttribute" position="3" size="1"/> <!-- 0x0008 -->
            <Flag name="VolumeNamingScheme" position="4" size="1"/> <!-- 0x0010 -->
            <Flag name="AuthenticityInformation" position="5" size="1"/> <!-- 0x0020 -->
            <Flag name="RecoveryRecord" position="6" size="1"/> <!-- 0x0040 -->
            <Flag name="EncryptedBlockHeaders" position="7" size="1"/> <!-- 0x0080 -->
            <Flag name="FirstVolume" position="7" size="1"/> <!-- 0x0100 -->
            <Flag name="Internal1" position="9" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal2" position="10" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal3" position="11" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal4" position="12" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal5" position="13" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal6" position="14" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal7" position="15" size="1" /> <!-- Internal Use Only -->
            </Flags>
            <Number name="HeadSize" size="16" endian="little" signed="false">
              <Relation type="size" of="ArchiveHeader"/>
            </Number>
            <Number name="Reserved1" size="16" endian="little" signed="false"/>
            <Number name="Reserved2" size="32" endian="little" signed="false"/>
          </Block>
        </Block>

Excellent. With that out-of-the-way, the remainder of our Peach Pit will be fairly simple. Rather than reiterating the steps already discussed in Part 1 of this series, I’ve simply included the full Pit below. However, before we get to that I’d like to detail some limitations of this Pit and potential solutions.

Limitations

During the creation of this Pit, I’ve identified several limitations that, at the time of writing I was either unable to solve or simply didn’t want to delay this article any longer in order to develop portions of the specification that will have minimal impact on fuzzing success. This Pit does correctly parse nearly all RAR archives I’ve tested. However, in the interest of completeness, I’d like to outline some of this issues with the hope that you, the reader, might be able to complete the gaps where I was unable to do so.

First of all, this Pit does not cover the entire RAR specification. As only a portion of the specification is publicly available, I’ve had to enumerate the structure of a number of blocks based on the WinRAR source code, 010 Binary Template, and binary analysis of generated RAR archives. Currently, the following block types are not supported by this Pit.

  • HEAD_TYPE=0x77 old style subblock
  • HEAD_TYPE=0x78 old style recovery record
  • HEAD_TYPE=0x79 old style authenticity information

In addition to the missing block types, I’ve also run into an issue with several of the size relations being applied within the blocks. Blocks containing elements which lacked size/length definition in addition to “BLOCK OF RELATIONs” failed to properly parse the size of the element containing the block size. This caused Peach to terminate parsing of the block before all data was cracked. As such, I’ve removed the relations. This may cause some Archivers to discard or improperly parse RAR archives which contain an incorrect block size. I’ve investigated several solutions, however none yet meet the criteria that I’m looking for. I intend on fixing this issue shortly, however I’d love to hear any suggestions that you might have.

Also, you may notice that there are a few elements within the RAR technote which use a 4-byte CRC32. Unfortunately, since these elements calculate the CRC32 of the decompressed data segments, using the standard CRC32 Fixup will fail without implementing a custom transformer to perform the RAR decompression. As it stands, without a transformer to do this it may be best to mark these data fields containing the compressed data as non-mutable.

Finally, the “OldSubBlock” could use more detail in regards to the block structure. I believe that I may have lumped several smaller elements together that could be broken out into individual elements.

The Pit

<?xml version="1.0" encoding="utf-8"?>
<Peach version="1.0" author="Jason Kratzer" site="http://www.flinkd.org">
  <!-- Custom Fixup -->
  <PythonPath path="c:\svn-peach\"/>
  <Import import="custom" />
  <Include ns="default" src="file:defaults.xml"/>
  <!-- http://ams.cern.ch/AMS/amsexch/arch/rar/technote.txt -->

  <DataModel name="RarFileFormat">
    <Choice maxOccurs="1000">
    <!-- Marker block ( MARK_HEAD ) -->
      <Block name="MarkerBlock">
        <String name="MarkHeadCRC32" valueType="hex" value="5261" token="true" mutable="false">
          <Hint name="NumericalString" value="true"/>
        </String>
        <Number name="MarkHeadType" size="8" endian="little" signed="false" value="114" token="true" mutable="false"/>
        <String name="MarkHeadFlags" valueType="hex" value="211A" token="true">
          <Hint name="NumericalString" value="true"/>
        </String>
        <Number name="MarkHeadSize" size="16" endian="little" signed="false" value="7"/>
      </Block>

      <!--  Archive header ( MAIN_HEAD ) -->
        <Block name="ArchiveHeader">
        <Number name="ArchiveHeadCRC16" size="16" endian="little" signed="false" mutable="false">
          <Fixup class="custom.Crc32LowOrdFixup">
            <Param name="ref" value="ArchiveHeaderData"/>
          </Fixup>
        </Number>
        <Block name="ArchiveHeaderData">
          <String name="ArchiveHeadType" valueType="hex" value="73" token="true" mutable="false">
            <Hint name="NumericalString" value="true"/>
          </String>
          <Flags name="HeadFlags" size="16">
            <Flag name="VolumeAttribute" position="0" size="1"/> <!-- 0x0001 -->
            <Flag name="ArchiveLockAttribute" position="2" size="1"/> <!-- 0x0004 -->
            <Flag name="SolidAttribute" position="3" size="1"/> <!-- 0x0008 -->
            <Flag name="VolumeNamingScheme" position="4" size="1"/> <!-- 0x0010 -->
            <Flag name="AuthenticityInformation" position="5" size="1"/> <!-- 0x0020 -->
            <Flag name="RecoveryRecord" position="6" size="1"/> <!-- 0x0040 -->
            <Flag name="EncryptedBlockHeaders" position="7" size="1"/> <!-- 0x0080 -->
            <Flag name="FirstVolume" position="7" size="1"/> <!-- 0x0100 -->
            <Flag name="Internal1" position="9" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal2" position="10" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal3" position="11" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal4" position="12" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal5" position="13" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal6" position="14" size="1" /> <!-- Internal Use Only -->
            <Flag name="Internal7" position="15" size="1" /> <!-- Internal Use Only -->
            </Flags>
            <Number name="HeadSize" size="16" endian="little" signed="false">
              <Relation type="size" of="ArchiveHeader"/>
            </Number>
            <Number name="Reserved1" size="16" endian="little" signed="false"/>
            <Number name="Reserved2" size="32" endian="little" signed="false"/>
          </Block>
        </Block>

      <!-- File header (File in archive) -->
        <Block name="FileHeader">
          <Number name="FileHeadCRC32" size="16" endian="little" signed="false" mutable="false">
            <Fixup class="custom.Crc32LowOrdFixup">
              <Param name="ref" value="FileHeaderData"/>
            </Fixup>
          </Number>
          <Block name="FileHeaderData">
            <String name="HeadType" valueType="hex" value="74" token="true" mutable="false">
              <Hint name="NumericalString" value="true"/>
            </String>
            <Flags name="FileHeadFlags" size="16">
              <Flag name="FileContinuedPrevVol" position="0" size="1"/> <!-- 0x0001 -->
              <Flag name="FileContinuedNextVol" position="1" size="1"/> <!-- 0x0002 -->
              <Flag name="FileEncrypted" position="2" size="1"/> <!-- 0x0004 -->
              <Flag name="FileComment" position="3" size="1"/> <!-- 0x0008 -->
              <Flag name="InformationFromPrev" position="4" size="1"/> <!-- 0x0010 -->
              <Flag name="Dictionary" position="5" size="3"/>
              <Flag name="HighPackHighUNPSize" position="8" size="1"/> <!-- 0x0100 -->
              <Flag name="FileName" position="9" size="1"/> <!-- 0x0200 -->
              <Flag name="EncryptionSalt" position="10" size="1"/> <!-- 0x0400 -->
              <Flag name="VersionFlag" position="11" size="1"/> <!-- 0x0800 -->
              <Flag name="ExtendedTimeField" position="12" size="1" /> <!-- 0x1000 -->
              <Flag name="Reserved" position="13" size="1" />
              <Flag name="OldVersionIgnore" position="14" size="1" />
              <Flag name="AddSizePresent" position="15" size="1" /> <!-- 0x8000 -->
            </Flags>
            <Number name="FileHeadSize" size="16" endian="little" signed="false">
              <!-- <Relation type="size" of="FileHeader"/> This should be fixed -->
            </Number>
            <Number name="CompressedSize" size="32" endian="little" signed="false">
              <Relation type="size" of="RawData"/>
            </Number>
            <Number name="UncompressedSize" size="32" endian="little" signed="false"/>
            <Number name="FileHostOS" size="8" endian="little" signed="false"/>
            <Number name="FileCRC" size="32" endian="little" signed="true" mutable="false"/> <!-- CRC of decompressed file -->
            <Number name="FileTime" size="16" endian="little" signed="false"/>
            <Number name="FileDate" size="16" endian="little" signed="false"/>
            <Number name="FileUnpackedVer" size="8" endian="little" signed="false"/>
            <Number name="FileMethod" size="8" endian="little" signed="false"/>
            <Number name="FileNameSize" size="16" endian="little" signed="false">
              <Relation type="size" of="FileName" isOutputOnly="true"/>
            </Number>
            <Number name="FileAttributes" size="32" endian="little" signed="false"/>
            <Block name="OptionalPackSize" minOccurs="0" maxOccurs="2">
              <!-- Enabled if HeadFlags 0x100 != 0 -->
              <Relation type="when" when="self.find('HighPackHighUNPSize').getInternalValue() != 0"/>
              <Number name="FileHighPackedSize" size="32" endian="little" signed="false"/>
              <Number name="FileHighUnpackedSize" size="32" endian="little" signed="false"/>
            </Block>
            <String name="FileName"/>
            <Block minOccurs="0" maxOccurs="1">
              <!-- Enabled if HeadFlags 0x400 != 0 -->
              <Relation type="when" when="self.find('EncryptionSalt').getInternalValue() != 0"/>
              <Number name="FileSalt" size="64" endian="little" signed="false"/>
            </Block>
            <Block name="OptionalFileExtTime" minOccurs="0" maxOccurs="1">
              <!-- Enabled if HeadFlags 0x1000 != 0 -->
              <Relation type="when" when="self.find('ExtendedTimeField').getInternalValue() != 0"/>
              <!--<Number name="FileExtTime" endian="little" signed="false"/>--> <!-- Element size undocumented -->
              <String name="FileExtTime" length="5"/>
            </Block>
          </Block>
          <Blob name="RawData"/>
        </Block>

      <!-- Old Style Comment Block -->
        <Block name="CommentBlock">
          <Number name="CommentBlockHeadCRC32" size="16" endian="little" signed="false" mutable="false">
            <Fixup class="custom.Crc32LowOrdFixup">
              <Param name="ref" value="CommentData"/>
            </Fixup>
          </Number>
          <Block name="CommentData">
            <String name="HeadType" valueType="hex" value="75" token="true" mutable="false">
              <Hint name="NumericalString" value="true"/>
            </String>
            <Number name="CommentHeadFlags" size="16" endian="little" signed="false"/>
            <Number name="CommentHeadSize" size="16" endian="little" signed="false">
              <Relation type="size" of="CommentBlock"/>
            </Number>
            <Number name="CommentUnpSize" size="16" endian="little" signed="false"/>
            <Number name="CommentUnpVersion" size="8" endian="little" signed="false"/>
            <Number name="CommentUnpMethod" size="8" endian="little" signed="false"/>
            <Number name="CommentCRC" size="16" endian="little" signed="false"/>
            <Blob name="CommentData"/>
          </Block>
        </Block>

      <!-- Old Style Authenticity Block -->
        <Block name="ExtraInfoBlock"><Relation type="size" of="ExtraInfoHeadSize"/>
          <Number name="ExtraInfoHeadCRC32" size="16" endian="little" signed="false" mutable="false">
            <Fixup class="custom.Crc32LowOrdFixup">
              <Param name="ref" value="ExtraInfoData"/>
            </Fixup>
          </Number>
          <Block name="ExtraInfoData">
            <Number name="ExtraInfoHeadType" size="8" endian="little" signed="false" value="118" token="true"/>
            <Number name="ExtraInfoHeadFlags" size="16" endian="little" signed="false"/>
            <Number name="ExtraInfoHeadSize" size="16" endian="little" signed="false"/>
            <Blob name="ExtraInfoData"/>
          </Block>
        </Block>

      <!-- Old Style Sub-Block -->
        <Block name="OldSubBlock"><Relation type="size" of="OldSubBlockHeadSize"/>
          <Number name="OldSubBlockHeadCRC32" size="16" endian="little" signed="false" mutable="false">
            <Fixup class="custom.Crc32LowOrdFixup">
              <Param name="ref" value="OldSubBlockData"/>
            </Fixup>
          </Number>
          <Block name="OldSubBlockData">
            <Number name="OldSubBlockHeadType" size="8" endian="little" signed="false" value="119" token="true"/>
            <Number name="OldSubBlockHeadFlags" size="16" endian="little" signed="false"/>
            <Number name="OldSubBlockHeadSize" size="16" endian="little" signed="false"/>
          </Block>
        </Block> 

      <!-- Sub-Block -->
        <Block name="SubBlock">
          <Block name="SubBlockHeader">
            <Number name="SubBlockHeadCRC32" size="16" endian="little" signed="false" mutable="false">
              <Fixup class="custom.Crc32LowOrdFixup">
                <Param name="ref" value="SubBlockData"/>
              </Fixup>
            </Number>
            <Block name="SubBlockData">
              <String name="SubBlockHeadType" valueType="hex" value="7A" token="true">
                <Hint name="NumericalString" value="true"/>
              </String>
              <Number name="SubBlockHeadFlags" size="16" endian="little" signed="false"/>
              <Number name="SubBlockHeadSize" size="16" endian="little" signed="false">
                <Relation type="size" of="SubBlockFoo" expressionGet="size-11" expressionSet="size+11"/>
              </Number>
              <Number name="SubBlockRawDataSize" size="32" endian="little" signed="false">
                <Relation type="size" of="SubBlockBar"/> <!-- Add named relation -->
              </Number>
              <Blob name="SubBlockFoo"/> <!-- Fix this -->
            </Block>
          </Block>
          <Blob name="SubBlockBar"/>
        </Block>

      <!-- End of File Block -->
        <Block name="EndOfFile">
          <Number name="EoFHeadCRC32" size="16" endian="little" signed="false" mutable="false">
            <Fixup class="custom.Crc32LowOrdFixup">
              <Param name="ref" value="EoFData"/>
            </Fixup>
          </Number>
          <Block name="EoFData">
            <Number name="EoFHeadType" size="8" endian="little" signed="false" value="123" token="true"/>
            <Number name="EoFHeadFlags" size="16" endian="little" signed="false"/>
            <Number name="EoFHeadSize" size="16" endian="little" signed="false" value="7" token="true">
              <Relation type="size" of="EndOfFile" />
            </Number>
          </Block>
        </Block>
      </Choice>
    </DataModel>

    <DataModel name="Param">
      <String name="Value" isStatic="true"/>
    </DataModel>
    <StateModel name="TheState" initialState="Initial">
      <State name="Initial">
        <Action type="output">
          <DataModel ref="RarFileFormat"/>
          <Data name="data" fileName="C:\test.rar"/>
        </Action>
        <Action type="close"/>
        <Action type="call" method="ScoobySnacks"/>
      </State>
    </StateModel>
    <Agent name="LocalAgent">
      <Monitor class="debugger.WindowsDebugEngine">
        <Param name="CommandLine" value="C:\Program Files\WinRAR\WinRAR.exe fuzzed.rar"/>
        <Param name="StartOnCall" value="ScoobySnacks"/>
      </Monitor>
      <Monitor class="process.PageHeap">
        <Param name="Executable" value="WinRAR.exe"/>
      </Monitor>
    </Agent>

    <Test name="TheTest">
      <!--<Strategy class="rand.RandomMutationStrategy" switchCount="1500" maxFieldsToMutate="7"/>-->
      <Agent ref="LocalAgent"/>
      <StateModel ref="TheState"/>
      <Publisher class="file.FileWriterLauncherGui">
        <Param name="fileName" value="fuzzed.rar"/>
        <Param name="windowName" value="fuzzeds.rar - WinRAR"/>
        <Param name="debugger" value="true"/>
      </Publisher>
    </Test>
    <Run name="DefaultRun">
      <Test ref="TheTest"/>
      <Logger class="logger.Filesystem">
        <Param name="path" value="C:\svn-peach\logs\winrar\"/>
      </Logger>
    </Run>
</Peach>

Fin!

That’s it. Please let me know if you have any questions or if there’s anything I could do to improve these tutorials.

I’d also like to extend a warm thanks to Rodrigo Escobar for helping me out with some of the Fixup fuzziness and with numerous other ongoing projects. Make sure you drop by his twitter feed!