diff options
| author | van Hauser <vh@thc.org> | 2022-11-14 21:48:50 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-14 21:48:50 +0100 |
| commit | 46beedadd74087cd04f1bd4928ebf2e15aeb602d (patch) | |
| tree | 367162604331f429ac2cdf271dbf053b9485945e | |
| parent | 3cc5019fe492176e0cb5dbd446f1fa125ec9d7ed (diff) | |
| parent | 7f7cbe962324f7af8d55423ee09635996a8c9332 (diff) | |
| download | afl++-46beedadd74087cd04f1bd4928ebf2e15aeb602d.tar.gz | |
Merge pull request #1580 from guyf2010/dev
Add option for random cmplog colorization
| -rw-r--r-- | include/afl-fuzz.h | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 29 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 9 |
3 files changed, 36 insertions, 4 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index cae7fae0..88646db3 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -657,7 +657,7 @@ typedef struct afl_state { u32 cmplog_max_filesize; u32 cmplog_lvl; u32 colorize_success; - u8 cmplog_enable_arith, cmplog_enable_transform; + u8 cmplog_enable_arith, cmplog_enable_transform, cmplog_random_colorization; struct afl_pass_stat *pass_stats; struct cmp_map *orig_cmp_map; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 337f124d..0dae26a3 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -167,6 +167,25 @@ static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u64 *cksum) { } +/* replace everything with different values */ +static void random_replace(afl_state_t *afl, u8 *buf, u32 len) { + + for (u32 i = 0; i < len; i++) { + + u8 c; + + do { + + c = rand_below(afl, 256); + + } while (c == buf[i]); + + buf[i] = c; + + } + +} + /* replace everything with different values but stay in the same type */ static void type_replace(afl_state_t *afl, u8 *buf, u32 len) { @@ -293,7 +312,15 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, memcpy(backup, buf, len); memcpy(changed, buf, len); - type_replace(afl, changed, len); + if (afl->cmplog_random_colorization) { + + random_replace(afl, changed, len); + + } else { + + type_replace(afl, changed, len); + + } while ((rng = pop_biggest_range(&ranges)) != NULL && afl->stage_cur < afl->stage_max) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index acb0b2ec..a81cab7d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -171,10 +171,11 @@ static void usage(u8 *argv0, int more_help) { " if using QEMU/FRIDA or the fuzzing target is " "compiled\n" " for CmpLog then just use -c 0.\n" - " -l cmplog_opts - CmpLog configuration values (e.g. \"2AT\"):\n" + " -l cmplog_opts - CmpLog configuration values (e.g. \"2ATR\"):\n" " 1=small files, 2=larger files (default), 3=all " "files,\n" - " A=arithmetic solving, T=transformational solving.\n\n" + " A=arithmetic solving, T=transformational solving,\n" + " R=random colorization bytes.\n\n" "Fuzzing behavior settings:\n" " -Z - sequential queue selection instead of weighted " "random\n" @@ -1113,6 +1114,10 @@ int main(int argc, char **argv_orig, char **envp) { case 'T': afl->cmplog_enable_transform = 1; break; + case 'r': + case 'R': + afl->cmplog_random_colorization = 1; + break; default: FATAL("Unknown option value '%c' in -l %s", *c, optarg); |