Merge branch 'dev' of github.com:AFLplusplus/AFLplusplus into dev

author: Andrea Fioraldi <andreafioraldi@gmail.com> 2021-10-19 13:59:38 +0200
committer: Andrea Fioraldi <andreafioraldi@gmail.com> 2021-10-19 13:59:38 +0200
commit: 23e69f11075b20c4907ebe902af08dcbb13ec175 (patch)
tree: 9bd59c8786c8a81370373484778c0aeb1770d095 /frida_mode
parent: 77a63d8ccfd4b409c35227e174f1d6e809256e41 (diff)
parent: bb8a4d71da8f2b748a78ccc4416df6bffb393d80 (diff)
download: afl++-23e69f11075b20c4907ebe902af08dcbb13ec175.tar.gz
18 files changed, 276 insertions, 173 deletions
diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index 3e35e2f6..ed35c9f6 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -30,8 +30,7 @@ AFL_CFLAGS:=-Wno-unused-parameter \
 
 LDFLAGS+=-shared \
 		 -lpthread \
-		 -lresolv \
-		 -ldl
+		 -lresolv
 
 ifdef DEBUG
 CFLAGS+=-Werror \
@@ -71,7 +70,9 @@ ifdef DEBUG
 endif
 LDFLAGS+=	-z noexecstack \
 			-Wl,--gc-sections \
-			-Wl,--exclude-libs,ALL
+			-Wl,--exclude-libs,ALL \
+		    -ldl \
+		    -lrt
 LDSCRIPT:=-Wl,--version-script=$(PWD)frida.map
 endif
 
@@ -79,6 +80,22 @@ ifeq "$(shell uname)" "Linux"
  OS:=linux
 endif
 
+ifneq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" ""
+ OS:=android
+ ifneq "$(findstring aarch64, $(shell $(CC) --version 2>/dev/null))" ""
+   ARCH:=arm64
+ endif
+ ifneq "$(findstring arm, $(shell $(CC) --version 2>/dev/null))" ""
+   ARCH:=arm
+ endif
+ ifneq "$(findstring x86_64, $(shell $(CC) --version 2>/dev/null))" ""
+   ARCH:=x86_64
+ endif
+ ifneq "$(findstring i686, $(shell $(CC) --version 2>/dev/null))" ""
+   ARCH:=x86
+ endif
+endif
+
 ifndef OS
  $(error "Operating system unsupported")
 endif
diff --git a/frida_mode/README.md b/frida_mode/README.md
index 165f8089..df40c771 100644
--- a/frida_mode/README.md
+++ b/frida_mode/README.md
@@ -55,6 +55,20 @@ tests in 32-bit mode, run `make ARCH=x86 frida`. When switching between
 architectures it may be necessary to run `make clean` first for a given build
 target to remove previously generated binaries for a different architecture.
 
+### Android
+
+In order to build, you need to download the Android SDK.
+
+```
+https://developer.android.com/ndk/downloads
+```
+
+Then creating locally a standalone chain as follow.
+
+```
+https://developer.android.com/ndk/guides/standalone_toolchain
+```
+
 ## Usage
 
 FRIDA mode added some small modifications to `afl-fuzz` and similar tools
diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h
index 909b2a2c..cac5ee93 100644
--- a/frida_mode/include/instrument.h
+++ b/frida_mode/include/instrument.h
@@ -29,6 +29,7 @@ GumStalkerTransformer *instrument_get_transformer(void);
 /* Functions to be implemented by the different architectures */
 gboolean instrument_is_coverage_optimize_supported(void);
 
+void instrument_coverage_optimize_init(void);
 void instrument_coverage_optimize(const cs_insn *   instr,
                                   GumStalkerOutput *output);
 
diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h
index 0220a59d..3bd9eaa6 100644
--- a/frida_mode/include/ranges.h
+++ b/frida_mode/include/ranges.h
@@ -10,6 +10,8 @@ extern gboolean ranges_inst_jit;
 void ranges_config(void);
 void ranges_init(void);
 
+void ranges_print_debug_maps(void);
+
 gboolean range_is_excluded(GumAddress address);
 
 void ranges_exclude();
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index 71d9bdf6..81d85aa1 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -356,6 +356,7 @@ void instrument_init(void) {
       instrument_hash_seed);
   instrument_hash_zero = instrument_get_offset_hash(0);
 
+  instrument_coverage_optimize_init();
   instrument_debug_init();
   instrument_coverage_init();
   asan_init();
diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c
index 0e15940a..4b0a648e 100644
--- a/frida_mode/src/instrument/instrument_arm32.c
+++ b/frida_mode/src/instrument/instrument_arm32.c
@@ -22,6 +22,10 @@ void instrument_coverage_optimize(const cs_insn *   instr,
 
 }
 
+void instrument_coverage_optimize_init(void) {
+  WARNF("Optimized coverage not supported on this architecture");
+}
+
 void instrument_flush(GumStalkerOutput *output) {
 
   gum_arm_writer_flush(output->writer.arm);
diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c
index cf37e048..80d1d845 100644
--- a/frida_mode/src/instrument/instrument_arm64.c
+++ b/frida_mode/src/instrument/instrument_arm64.c
@@ -95,6 +95,9 @@ void instrument_coverage_optimize(const cs_insn *   instr,
 
 }
 
+void instrument_coverage_optimize_init(void) {
+}
+
 void instrument_flush(GumStalkerOutput *output) {
 
   gum_arm64_writer_flush(output->writer.arm64);
diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c
index 1c2cf113..a7eb650a 100644
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@@ -1,4 +1,16 @@
+#include <fcntl.h>
 #include <stddef.h>
+#include <sys/mman.h>
+#include <sys/shm.h>
+
+#if defined(__linux__)
+#if !defined(__ANDROID__)
+#include <asm/prctl.h>
+#include <sys/syscall.h>
+#else
+#include <linux/ashmem.h>
+#endif
+#endif
 
 #include "frida-gumjs.h"
 
@@ -6,245 +18,290 @@
 #include "debug.h"
 
 #include "instrument.h"
+#include "ranges.h"
 
 #if defined(__x86_64__)
 
-static GumAddress current_log_impl = GUM_ADDRESS(0);
+#ifndef MAP_FIXED_NOREPLACE
+  #ifdef MAP_EXCL
+    #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED
+  #else
+    #define MAP_FIXED_NOREPLACE MAP_FIXED
+  #endif
+#endif
 
-  #pragma pack(push, 1)
+gboolean instrument_is_coverage_optimize_supported(void) {
 
+  return true;
+
+}
+
+static gboolean instrument_coverage_in_range(gssize offset) {
+
+  return (offset >= G_MININT32 && offset <= G_MAXINT32);
+
+}
+
+  #pragma pack(push, 1)
 typedef struct {
 
-  /*
-   * pushfq
-   * push rdx
-   * mov rdx, [&previouspc] (rip relative addr)
-   * xor rdx, rdi (current_pc)
-   * shr rdi. 1
-   * mov [&previouspc], rdi
-   * lea rsi, [&_afl_area_ptr] (rip relative)
-   * add rdx, rsi
-   * add byte ptr [rdx], 1
-   * adc byte ptr [rdx], 0
-
-   * pop rdx
-   * popfq
-   */
+  // cur_location = (block_address >> 4) ^ (block_address << 8);
+  // shared_mem[cur_location ^ prev_location]++;
+  // prev_location = cur_location >> 1;
+
+  // => 0x7ffff6cfb086:      lea    rsp,[rsp-0x80]
+  //    0x7ffff6cfb08b:      pushf
+  //    0x7ffff6cfb08c:      push   rsi
+  //    0x7ffff6cfb08d:      mov    rsi,0x228
+  //    0x7ffff6cfb094:      xchg   QWORD PTR [rip+0x3136a5],rsi        # 0x7ffff700e740
+  //    0x7ffff6cfb09b:      xor    rsi,0x451
+  //    0x7ffff6cfb0a2:      add    BYTE PTR [rsi+0x10000],0x1
+  //    0x7ffff6cfb0a9:      adc    BYTE PTR [rsi+0x10000],0x0
+  //    0x7ffff6cfb0b0:      pop    rsi
+  //    0x7ffff6cfb0b1:      popf
+  //    0x7ffff6cfb0b2:      lea    rsp,[rsp+0x80]
+
+
+  uint8_t lea_rsp_rsp_sub_rz[5];
   uint8_t push_fq;
-  uint8_t push_rdx;
-  uint8_t mov_rdx_rip_off[7];
-  uint8_t xor_rdx_rdi[3];
-  uint8_t shr_rdi[3];
-  uint8_t mov_rip_off_rdi[7];
-
-  uint8_t lea_rdi_rip_off[7];
-  uint8_t add_rdx_rdi[3];
-  uint8_t add_byte_ptr_rdx[3];
-  uint8_t adc_byte_ptr_rdx[3];
-
-  uint8_t pop_rdx;
+  uint8_t push_rsi;
+
+  uint8_t mov_rsi_curr_loc_shr_1[7];
+  uint8_t xchg_rsi_prev_loc_curr_loc[7];
+  uint8_t xor_rsi_curr_loc[7];
+
+  uint8_t add_rsi_1[7];
+  uint8_t adc_rsi_0[7];
+
+  uint8_t pop_rsi;
   uint8_t pop_fq;
-  uint8_t ret;
+  uint8_t lsa_rsp_rsp_add_rz[8];
 
 } afl_log_code_asm_t;
 
   #pragma pack(pop)
 
-  #pragma pack(push, 8)
-typedef struct {
+typedef union {
 
-  afl_log_code_asm_t assembly;
-  uint64_t           current_pc;
+  afl_log_code_asm_t code;
+  uint8_t            bytes[0];
 
-} afl_log_code_t;
+} afl_log_code;
 
-  #pragma pack(pop)
+static const afl_log_code_asm_t template =
+    {
 
-typedef union {
+        .lea_rsp_rsp_sub_rz = {0x48, 0x8D, 0x64, 0x24, 0x80},
+        .push_fq = 0x9c,
+        .push_rsi = 0x56,
 
-  afl_log_code_t data;
-  uint8_t        bytes[0];
+        .mov_rsi_curr_loc_shr_1 = {0x48, 0xC7, 0xC6},
+        .xchg_rsi_prev_loc_curr_loc = {0x48, 0x87, 0x35},
+        .xor_rsi_curr_loc = {0x48, 0x81, 0xF6},
 
-} afl_log_code;
+        .add_rsi_1 = {0x80, 0x86, 0x00, 0x00, 0x00, 0x00, 0x01},
+        .adc_rsi_0 = {0x80, 0x96, 0x00, 0x00, 0x00, 0x00, 0x00},
 
-static const afl_log_code_asm_t template = {
+        .pop_rsi = 0x5E,
+        .pop_fq = 0x9D,
+        .lsa_rsp_rsp_add_rz = {0x48, 0x8D, 0xA4, 0x24, 0x80, 0x00, 0x00, 0x00},
 
-    .push_fq = 0x9c,
-    .push_rdx = 0x52,
-    .mov_rdx_rip_off =
-        {
+}
 
-            0x48, 0x8b, 0x15,
-            /* TBC */
+;
 
-        },
+static gboolean instrument_coverage_find_low(const GumRangeDetails *details,
+                                             gpointer               user_data) {
 
-    .xor_rdx_rdi =
-        {
+  static GumAddress last_limit = (64ULL << 10);
+  gpointer *        address = (gpointer *)user_data;
 
-            0x48,
-            0x31,
-            0xfa,
+  if ((details->range->base_address - last_limit) > __afl_map_size) {
 
-        },
+    *address = GSIZE_TO_POINTER(last_limit);
+    return FALSE;
 
-    .shr_rdi = {0x48, 0xd1, 0xef},
-    .mov_rip_off_rdi = {0x48, 0x89, 0x3d},
+  }
 
-    .lea_rdi_rip_off =
-        {
+  if (details->range->base_address > ((2ULL << 20) - __afl_map_size)) {
 
-            0x48,
-            0x8d,
-            0x3d,
+    return FALSE;
 
-        },
+  }
 
-    .add_rdx_rdi = {0x48, 0x01, 0xfA},
+  last_limit = details->range->base_address + details->range->size;
+  return TRUE;
 
-    .add_byte_ptr_rdx =
-        {
+}
 
-            0x80,
-            0x02,
-            0x01,
+static void instrument_coverage_optimize_map_mmap_anon(gpointer address) {
 
-        },
+  __afl_area_ptr =
+      mmap(address, __afl_map_size, PROT_READ | PROT_WRITE,
+           MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+  if (__afl_area_ptr != address) {
 
-    .adc_byte_ptr_rdx =
-        {
+    FATAL("Failed to map mmap __afl_area_ptr: %d", errno);
 
-            0x80,
-            0x12,
-            0x00,
+  }
 
-        },
+}
 
-    .pop_rdx = 0x5a,
-    .pop_fq = 0x9d,
-    .ret = 0xc3};
+static void instrument_coverage_optimize_map_mmap(char *   shm_file_path,
+                                                  gpointer address) {
 
-static guint8 align_pad[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90};
+  int shm_fd = -1;
 
-gboolean instrument_is_coverage_optimize_supported(void) {
+  if (munmap(__afl_area_ptr, __afl_map_size) != 0) {
 
-  return true;
+    FATAL("Failed to unmap previous __afl_area_ptr");
 
-}
+  }
 
-static gboolean instrument_coverage_in_range(gssize offset) {
+  __afl_area_ptr = NULL;
 
-  return (offset >= G_MININT32 && offset <= G_MAXINT32);
+#if !defined(__ANDROID__)
+  shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION);
+  if (shm_fd == -1) { FATAL("shm_open() failed\n"); }
+#else
+  shm_fd = open("/dev/ashmem", O_RDWR);
+  if (shm_fd == -1) { FATAL("open() failed\n"); }
+  if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { FATAL("ioctl(ASHMEM_SET_NAME) failed"); }
+  if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) { FATAL("ioctl(ASHMEM_SET_SIZE) failed"); }
+
+#endif
+
+  __afl_area_ptr = mmap(address, __afl_map_size, PROT_READ | PROT_WRITE,
+                        MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0);
+  if (__afl_area_ptr != address) {
+
+    FATAL("Failed to map mmap __afl_area_ptr: %d", errno);
+
+  }
+
+  if (close(shm_fd) != 0) { FATAL("Failed to close shm_fd"); }
 
 }
 
-static void instrument_coverate_write_function(GumStalkerOutput *output) {
+static void instrument_coverage_optimize_map_shm(guint64  shm_env_val,
+                                                 gpointer address) {
 
-  guint64       misalign = 0;
-  GumX86Writer *cw = output->writer.x86;
-  GumAddress    code_addr = 0;
-  afl_log_code  code = {0};
-  /*guint64       instrument_hash_zero = 0;*/
+  if (shmdt(__afl_area_ptr) != 0) {
 
-  if (current_log_impl == 0 ||
-      !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) ||
-      !gum_x86_writer_can_branch_directly_between(cw->pc + 128,
-                                                  current_log_impl)) {
+    FATAL("Failed to detach previous __afl_area_ptr");
 
-    gconstpointer after_log_impl = cw->code + 1;
+  }
 
-    gum_x86_writer_put_jmp_near_label(cw, after_log_impl);
+  __afl_area_ptr = shmat(shm_env_val, address, 0);
+  if (__afl_area_ptr != address) {
 
-    misalign = (cw->pc & 0x7);
-    if (misalign != 0) {
+    FATAL("Failed to map shm __afl_area_ptr: %d", errno);
 
-      gum_x86_writer_put_bytes(cw, align_pad, 8 - misalign);
+  }
 
-    }
+}
 
-    current_log_impl = cw->pc;
-    // gum_x86_writer_put_breakpoint(cw);
-    code_addr = cw->pc;
+void instrument_coverage_optimize_init(void) {
 
-    code.data.assembly = template;
-    code.data.current_pc = instrument_get_offset_hash(0);
+  gpointer low_address = NULL;
 
-    gssize current_pc_value1 =
-        GPOINTER_TO_SIZE(&instrument_previous_pc) -
-        (code_addr + offsetof(afl_log_code, data.assembly.mov_rdx_rip_off) +
-         sizeof(code.data.assembly.mov_rdx_rip_off));
-    gssize patch_offset1 =
-        offsetof(afl_log_code, data.assembly.mov_rdx_rip_off) +
-        sizeof(code.data.assembly.mov_rdx_rip_off) - sizeof(gint);
-    if (!instrument_coverage_in_range(current_pc_value1)) {
+  gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, instrument_coverage_find_low,
+                               &low_address);
 
-      FATAL("Patch out of range (current_pc_value1): 0x%016lX",
-            current_pc_value1);
+  OKF("Low address: %p", low_address);
 
-    }
+  if (low_address == 0 ||
+      GPOINTER_TO_SIZE(low_address) > ((2UL << 20) - __afl_map_size)) {
 
-    gint *dst_pc_value = (gint *)&code.bytes[patch_offset1];
-    *dst_pc_value = (gint)current_pc_value1;
+    FATAL("Invalid low_address: %p", low_address);
 
-    gssize current_pc_value2 =
-        GPOINTER_TO_SIZE(&instrument_previous_pc) -
-        (code_addr + offsetof(afl_log_code, data.assembly.mov_rip_off_rdi) +
-         sizeof(code.data.assembly.mov_rip_off_rdi));
-    gssize patch_offset2 =
-        offsetof(afl_log_code, data.assembly.mov_rip_off_rdi) +
-        sizeof(code.data.assembly.mov_rip_off_rdi) - sizeof(gint);
+  }
 
-    if (!instrument_coverage_in_range(current_pc_value2)) {
+  ranges_print_debug_maps();
 
-      FATAL("Patch out of range (current_pc_value2): 0x%016lX",
-            current_pc_value2);
+  char *shm_env = getenv(SHM_ENV_VAR);
+  OKF("SHM_ENV_VAR: %s", shm_env);
 
-    }
+  if (shm_env == NULL) {
 
-    dst_pc_value = (gint *)&code.bytes[patch_offset2];
-    *dst_pc_value = (gint)current_pc_value2;
+    WARNF("SHM_ENV_VAR not set, using anonymous map for debugging purposes");
 
-    gsize afl_area_ptr_value =
-        GPOINTER_TO_SIZE(__afl_area_ptr) -
-        (code_addr + offsetof(afl_log_code, data.assembly.lea_rdi_rip_off) +
-         sizeof(code.data.assembly.lea_rdi_rip_off));
-    gssize afl_area_ptr_offset =
-        offsetof(afl_log_code, data.assembly.lea_rdi_rip_off) +
-        sizeof(code.data.assembly.lea_rdi_rip_off) - sizeof(gint);
+    instrument_coverage_optimize_map_mmap_anon(low_address);
 
-    if (!instrument_coverage_in_range(afl_area_ptr_value)) {
+  } else {
 
-      FATAL("Patch out of range (afl_area_ptr_value): 0x%016lX",
-            afl_area_ptr_value);
+    guint64 shm_env_val = g_ascii_strtoull(shm_env, NULL, 10);
 
-    }
+    if (shm_env_val == 0) {
 
-    gint *dst_afl_area_ptr_value = (gint *)&code.bytes[afl_area_ptr_offset];
-    *dst_afl_area_ptr_value = (gint)afl_area_ptr_value;
+      instrument_coverage_optimize_map_mmap(shm_env, low_address);
 
-    gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code));
+    } else {
 
-    gum_x86_writer_put_label(cw, after_log_impl);
+      instrument_coverage_optimize_map_shm(shm_env_val, low_address);
+
+    }
 
   }
 
+  OKF("__afl_area_ptr: %p", __afl_area_ptr);
+  OKF("instrument_previous_pc: %p", &instrument_previous_pc);
+
 }
 
 void instrument_coverage_optimize(const cs_insn *   instr,
                                   GumStalkerOutput *output) {
 
+  afl_log_code  code = {0};
   GumX86Writer *cw = output->writer.x86;
   guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address));
-  instrument_coverate_write_function(output);
-
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
-                                        -GUM_RED_ZONE_SIZE);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_RDI);
-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDI, area_offset);
-  gum_x86_writer_put_call_address(cw, current_log_impl);
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_RDI);
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
-                                        GUM_RED_ZONE_SIZE);
+  GumAddress code_addr = 0;
+
+  // gum_x86_writer_put_breakpoint(cw);
+  code_addr = cw->pc;
+  code.code = template;
+
+  gssize curr_loc_shr_1_offset =
+      offsetof(afl_log_code, code.mov_rsi_curr_loc_shr_1) +
+      sizeof(code.code.mov_rsi_curr_loc_shr_1) - sizeof(guint32);
+
+  *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) =
+      (guint32)(area_offset >> 1);
+
+  gssize prev_loc_value =
+      GPOINTER_TO_SIZE(&instrument_previous_pc) -
+      (code_addr + offsetof(afl_log_code, code.xchg_rsi_prev_loc_curr_loc) +
+       sizeof(code.code.xchg_rsi_prev_loc_curr_loc));
+  gssize prev_loc_value_offset =
+      offsetof(afl_log_code, code.xchg_rsi_prev_loc_curr_loc) +
+      sizeof(code.code.xchg_rsi_prev_loc_curr_loc) - sizeof(gint);
+  if (!instrument_coverage_in_range(prev_loc_value)) {
+
+    FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value);
+
+  }
+
+  *((gint *)&code.bytes[prev_loc_value_offset]) = (gint)prev_loc_value;
+
+  gssize xor_curr_loc_offset = offsetof(afl_log_code, code.xor_rsi_curr_loc) +
+                               sizeof(code.code.xor_rsi_curr_loc) -
+                               sizeof(guint32);
+
+  *((guint32 *)&code.bytes[xor_curr_loc_offset]) = (guint32)(area_offset);
+
+  gssize add_rsi_1_offset = offsetof(afl_log_code, code.add_rsi_1) +
+                            sizeof(code.code.add_rsi_1) - sizeof(guint32) - 1;
+
+  *((guint32 *)&code.bytes[add_rsi_1_offset]) =
+      (guint32)GPOINTER_TO_SIZE(__afl_area_ptr);
+
+  gssize adc_rsi_0_ffset = offsetof(afl_log_code, code.adc_rsi_0) +
+                           sizeof(code.code.adc_rsi_0) - sizeof(guint32) - 1;
+
+  *((guint32 *)&code.bytes[adc_rsi_0_ffset]) =
+      (guint32)GPOINTER_TO_SIZE(__afl_area_ptr);
+
+  gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code));
 
 }
 
diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c
index 7bf48f96..1ff5c920 100644
--- a/frida_mode/src/instrument/instrument_x86.c
+++ b/frida_mode/src/instrument/instrument_x86.c
@@ -83,6 +83,9 @@ void instrument_coverage_optimize(const cs_insn *   instr,
 
 }
 
+void instrument_coverage_optimize_init(void) {
+}
+
 void instrument_flush(GumStalkerOutput *output) {
 
   gum_x86_writer_flush(output->writer.x86);
diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c
index 5b6eb462..1b666fce 100644
--- a/frida_mode/src/ranges.c
+++ b/frida_mode/src/ranges.c
@@ -549,18 +549,19 @@ static GArray *merge_ranges(GArray *a) {
 
 }
 
+void ranges_print_debug_maps(void) {
+
+  gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges_callback, NULL);
+
+}
+
 void ranges_config(void) {
 
   if (getenv("AFL_FRIDA_DEBUG_MAPS") != NULL) { ranges_debug_maps = TRUE; }
   if (getenv("AFL_INST_LIBS") != NULL) { ranges_inst_libs = TRUE; }
   if (getenv("AFL_FRIDA_INST_JIT") != NULL) { ranges_inst_jit = TRUE; }
 
-  if (ranges_debug_maps) {
-
-    gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges_callback,
-                                 NULL);
-
-  }
+  if (ranges_debug_maps) { ranges_print_debug_maps(); }
 
   include_ranges = collect_ranges("AFL_FRIDA_INST_RANGES");
   exclude_ranges = collect_ranges("AFL_FRIDA_EXCLUDE_RANGES");
diff --git a/frida_mode/src/seccomp/seccomp_atomic.c b/frida_mode/src/seccomp/seccomp_atomic.c
index 5097511a..c2042f97 100644
--- a/frida_mode/src/seccomp/seccomp_atomic.c
+++ b/frida_mode/src/seccomp/seccomp_atomic.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
 
   #include <stdbool.h>
   #include <stdio.h>
diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c
index 7e1e2070..a88196ac 100644
--- a/frida_mode/src/seccomp/seccomp_callback.c
+++ b/frida_mode/src/seccomp/seccomp_callback.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
 
   #include <execinfo.h>
   #include <fcntl.h>
diff --git a/frida_mode/src/seccomp/seccomp_child.c b/frida_mode/src/seccomp/seccomp_child.c
index f665f472..43a79894 100644
--- a/frida_mode/src/seccomp/seccomp_child.c
+++ b/frida_mode/src/seccomp/seccomp_child.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
 
   #include <fcntl.h>
   #include <sched.h>
diff --git a/frida_mode/src/seccomp/seccomp_event.c b/frida_mode/src/seccomp/seccomp_event.c
index dd4abde7..e2f592ca 100644
--- a/frida_mode/src/seccomp/seccomp_event.c
+++ b/frida_mode/src/seccomp/seccomp_event.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
 
   #include <stdint.h>
   #include <stdio.h>
diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c
index 13ff7522..8d56c367 100644
--- a/frida_mode/src/seccomp/seccomp_filter.c
+++ b/frida_mode/src/seccomp/seccomp_filter.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
 
   #include <alloca.h>
   #include <errno.h>
diff --git a/frida_mode/src/seccomp/seccomp_print.c b/frida_mode/src/seccomp/seccomp_print.c
index be4d80ce..3cea1239 100644
--- a/frida_mode/src/seccomp/seccomp_print.c
+++ b/frida_mode/src/seccomp/seccomp_print.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
 
   #include <stdarg.h>
 
diff --git a/frida_mode/src/seccomp/seccomp_socket.c b/frida_mode/src/seccomp/seccomp_socket.c
index fae95805..ef937420 100644
--- a/frida_mode/src/seccomp/seccomp_socket.c
+++ b/frida_mode/src/seccomp/seccomp_socket.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
 
   #include <stdio.h>
   #include <string.h>
diff --git a/frida_mode/src/seccomp/seccomp_syscall.c b/frida_mode/src/seccomp/seccomp_syscall.c
index e023c131..8335b93c 100644
--- a/frida_mode/src/seccomp/seccomp_syscall.c
+++ b/frida_mode/src/seccomp/seccomp_syscall.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
 
   #include <limits.h>
   #include <stdio.h>
author	Andrea Fioraldi <andreafioraldi@gmail.com>	2021-10-19 13:59:38 +0200
committer	Andrea Fioraldi <andreafioraldi@gmail.com>	2021-10-19 13:59:38 +0200
commit	23e69f11075b20c4907ebe902af08dcbb13ec175 (patch)
tree	9bd59c8786c8a81370373484778c0aeb1770d095 /frida_mode
parent	77a63d8ccfd4b409c35227e174f1d6e809256e41 (diff)
parent	bb8a4d71da8f2b748a78ccc4416df6bffb393d80 (diff)
download	afl++-23e69f11075b20c4907ebe902af08dcbb13ec175.tar.gz