diff options
| author | van Hauser <vh@thc.org> | 2020-04-19 10:15:28 +0200 |
|---|---|---|
| committer | Dominik Maier <domenukk@gmail.com> | 2020-04-21 13:14:34 +0200 |
| commit | 8b3befea6d34e84cc8861939e61b219ffb4eb37f (patch) | |
| tree | 7b91af9e22ebb1e69e0fe348299d7127cd6a123d | |
| parent | 5b9928f1a9d4b017ea04365ca8b522fde71236eb (diff) | |
| download | afl++-8b3befea6d34e84cc8861939e61b219ffb4eb37f.tar.gz | |
update documentation
| -rw-r--r-- | docs/Changelog.md | 11 | ||||
| -rw-r--r-- | qemu_mode/README.persistent.md | 12 |
2 files changed, 16 insertions, 7 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index 93820c3b..95adf8ea 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,8 +10,15 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. ### Version ++2.64d (develop): - - ... - + - qemu_mode: + - add information on PIE/PIC load addresses for 32 bit + - better dependency checks + - gcc_plugin: + - better dependency checks + - unicorn_mode: + - better submodule handling + - all: + - fix 32 bit build options ### Version ++2.64c (release): diff --git a/qemu_mode/README.persistent.md b/qemu_mode/README.persistent.md index 46077402..b6d5d2d0 100644 --- a/qemu_mode/README.persistent.md +++ b/qemu_mode/README.persistent.md @@ -23,8 +23,10 @@ in 2.2 and 2.3) have to be set. This address (as well as the RET address, see below) has to be defined in hexadecimal with the 0x prefix or as a decimal value. -If the target is compiled with position independant code (PIE/PIC), you must -add 0x4000000000 to that address, because qemu loads to this base address. +*Note:* If the target is compiled with position independant code (PIE/PIC) +qemu loads these to a specific base address. +For 64 bit you have to add 0x4000000000 (9 zeroes) and for 32 bit 0x40000000 +(7 zeroes) to the address. On strange setups the base address set by QEMU for PIE executable may change, you can check it printing the process map using `AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace TARGET-BINARY` @@ -32,7 +34,7 @@ you can check it printing the process map using If this address is not valid, afl-fuzz will error during startup with the message that the forkserver was not found. -### 2.2) the RET address +### 2.2) The RET address The RET address is the last instruction of the persistent loop. The emulator will emit a jump to START when translating the instruction at RET. @@ -46,7 +48,7 @@ patch the return address (on stack or in the link register) to return to START It is defined by setting AFL_QEMU_PERSISTENT_RET, and too 0x4000000000 has to be set if the target is position independant. -### 2.3) the OFFSET +### 2.3) The OFFSET This option is valid only for x86/x86_64 only, arm/aarch64 do not save the return address on stack. @@ -72,7 +74,7 @@ Now to get this value right here some help: 8. again print the ESP value 9. calculate the difference between the two values - and this is the offset -### 2.4) resetting the register state +### 2.4) Resetting the register state It is very, very likely you need to restore the general purpose registers state when starting a new loop. Because of this you 99% of the time should set |