diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index fd75a82293..640237e44d 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -225,6 +225,7 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { #endif /* ^WORD_SIZE_64 */ u8 ret = 0; + u64 cksum = hash64(virgin_map, afl->fsrv.map_size, HASH_CONST); while (i--) { if (unlikely(*current)) discover_word(&ret, current, virgin); @@ -235,7 +236,12 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { } if (unlikely(ret) && likely(virgin_map == afl->virgin_bits)) + { afl->bitmap_changed = 1; + if(afl->introspection_file) { + fprintf(afl->introspection_file, "HNB HASH %d\n", cksum); + } + } return ret; diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index fd5ed87ca3..71232711b0 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -616,7 +616,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_short = "flip1"; afl->stage_max = len << 3; afl->stage_name = "bitflip 1/1"; - + printf("FLIP1\n"); afl->stage_val_type = STAGE_VAL_NONE; orig_hit_cnt = afl->queued_items + afl->saved_crashes; @@ -747,6 +747,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_name = "bitflip 2/1"; afl->stage_short = "flip2"; afl->stage_max = (len << 3) - 1; + printf("FLIP2\n"); orig_hit_cnt = new_hit_cnt; @@ -786,6 +787,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_name = "bitflip 4/1"; afl->stage_short = "flip4"; afl->stage_max = (len << 3) - 3; + printf("FLIP4\n"); orig_hit_cnt = new_hit_cnt; @@ -829,6 +831,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_name = "bitflip 8/8"; afl->stage_short = "flip8"; afl->stage_max = len; + printf("FLIP8\n"); orig_hit_cnt = new_hit_cnt; prev_cksum = _prev_cksum; @@ -880,6 +883,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_short = "flip16"; afl->stage_cur = 0; afl->stage_max = len - 1; + printf("FLIP16\n"); orig_hit_cnt = new_hit_cnt; @@ -923,6 +927,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_short = "flip32"; afl->stage_cur = 0; afl->stage_max = len - 3; + printf("FLIP32\n"); orig_hit_cnt = new_hit_cnt; @@ -1025,6 +1030,8 @@ u8 fuzz_one_original(afl_state_t *afl) { #ifdef INTROSPECTION snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH8--%u-%u", afl->queue_cur->fname, i, j); + fprintf(afl->introspection_file, "LOGGING %s = %s\n", afl->mutation, + afl->queue_top->fname); #endif if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } @@ -1566,7 +1573,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_max = afl->extras_cnt * len; afl->stage_val_type = STAGE_VAL_NONE; - + printf("EXT O"); orig_hit_cnt = new_hit_cnt; for (i = 0; i < (u32)len; ++i) { diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index 8a927292bb..8a07f9c87d 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -1,6 +1,7 @@ #include "afl-fuzz.h" +#include void flip_range(u8 *input, u32 pos, u32 size) { @@ -154,15 +155,17 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, flip_range(out_buf, pos, flip_block_size); - if (common_fuzz_stuff(afl, out_buf, len)) return 0; + u64 cksum; + for(int y = 0; y < 10; y++) { + if (common_fuzz_stuff(afl, out_buf, len)) return 0;\ + cksum = + hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + } flip_range(out_buf, pos, flip_block_size); - u64 cksum = - hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - - // printf("Now trying range %d with %d, %s.\n", pos, cur_block_size, - // (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); + // printf("Now trying range %d with %d %d==%d, %s.\n", pos, cur_block_size, cksum, prev_cksum, + // (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); /* continue until we fail or exceed length */ if (cksum == _prev_cksum) { @@ -230,7 +233,7 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, orig_hit_cnt = afl->queued_items + afl->saved_crashes; u32 before_skip_inf = afl->queued_items; - + printf("QUICK at %d\n", afl->fsrv.total_execs); /* clean all the eff bytes, since previous eff bytes are already fuzzed */ u8 *skip_eff_map = afl->queue_cur->skipdet_e->skip_eff_map, *done_inf_map = afl->queue_cur->skipdet_e->done_inf_map; @@ -308,10 +311,28 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, } out_buf[afl->stage_cur_byte] = replace; + printf("Replacing %d with %d\n", afl->stage_cur_byte, replace); before_skip_inf = afl->queued_items; - if (common_fuzz_stuff(afl, out_buf, len)) { return 0; } + int cksum = 0; + for(int y = 0; y < 20; y++) { + if (common_fuzz_stuff(afl, out_buf, len)) { return 0; } + int new_cksum = + hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + if (cksum != 0 && cksum != new_cksum) { + char inputname[64]; + snprintf(inputname, sizeof(inputname), "input_%d_%d.bin", afl->stage_cur_byte, y); + FILE* fp1 = fopen(inputname, "wb"); // Open file in binary write mode + fwrite(afl->fsrv.trace_bits, 1, afl->fsrv.map_size, fp1); + fclose(fp1); + printf("============================================================================\n"); + printf("new_cksum: %d\n", new_cksum); + exit(1); + } + printf("new_cksum: %d\n", new_cksum); + cksum = new_cksum; + } out_buf[afl->stage_cur_byte] = orig; pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy