about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--frida_mode/addr/addr.c2
-rw-r--r--frida_mode/include/instrument.h17
-rw-r--r--frida_mode/src/instrument/instrument.c21
-rw-r--r--frida_mode/src/instrument/instrument_arm64.c24
-rw-r--r--frida_mode/src/instrument/instrument_x64.c17
-rw-r--r--frida_mode/src/instrument/instrument_x86.c17
-rw-r--r--frida_mode/src/persistent/persistent_arm64.c8
-rw-r--r--frida_mode/src/persistent/persistent_x64.c8
-rw-r--r--frida_mode/src/persistent/persistent_x86.c8
9 files changed, 94 insertions, 28 deletions
diff --git a/frida_mode/addr/addr.c b/frida_mode/addr/addr.c
index 40ddc5ba..371f69d4 100644
--- a/frida_mode/addr/addr.c
+++ b/frida_mode/addr/addr.c
@@ -32,7 +32,7 @@ int main (int argc, char** argv, char** envp) {
 
     dl_iterate_phdr(phdr_callback, &base);
 
-    printf("0x%016lx\n", base);
+    printf("%p\n", (void *)base);
     if (base == 0) { return 1; }
 
     return 0;
diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h
index 63f12181..abb89c9f 100644
--- a/frida_mode/include/instrument.h
+++ b/frida_mode/include/instrument.h
@@ -5,14 +5,13 @@
 
 #include "config.h"
 
-extern char *           instrument_debug_filename;
-extern char *           instrument_coverage_filename;
-extern gboolean         instrument_tracing;
-extern gboolean         instrument_optimize;
-extern gboolean         instrument_unique;
-extern __thread guint64 instrument_previous_pc;
-extern guint64          instrument_hash_zero;
-extern char *           instrument_coverage_unstable_filename;
+extern char *   instrument_debug_filename;
+extern char *   instrument_coverage_filename;
+extern gboolean instrument_tracing;
+extern gboolean instrument_optimize;
+extern gboolean instrument_unique;
+extern guint64  instrument_hash_zero;
+extern char *   instrument_coverage_unstable_filename;
 
 extern gboolean instrument_use_fixed_seed;
 extern guint64  instrument_fixed_seed;
@@ -20,6 +19,8 @@ extern guint64  instrument_fixed_seed;
 extern uint8_t *__afl_area_ptr;
 extern uint32_t __afl_map_size;
 
+extern __thread guint64 *instrument_previous_pc_addr;
+
 void instrument_config(void);
 
 void instrument_init(void);
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index bf102a82..46ed1a34 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -32,12 +32,13 @@ char *   instrument_coverage_unstable_filename = NULL;
 
 static GumStalkerTransformer *transformer = NULL;
 
-__attribute__((aligned(0x1000))) __thread guint64 instrument_previous_pc = 0;
-
 static GumAddress previous_rip = 0;
 static GumAddress previous_end = 0;
 static u8 *       edges_notified = NULL;
 
+__thread guint64  instrument_previous_pc;
+__thread guint64 *instrument_previous_pc_addr = NULL;
+
 typedef struct {
 
   GumAddress address;
@@ -105,8 +106,14 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
   guint16      current_end = ctx->end;
   guint64      current_pc = instrument_get_offset_hash(current_rip);
   guint64      edge;
+  if (instrument_previous_pc_addr == NULL) {
+
+    instrument_previous_pc_addr = &instrument_previous_pc;
+    *instrument_previous_pc_addr = instrument_hash_zero;
+
+  }
 
-  edge = current_pc ^ instrument_previous_pc;
+  edge = current_pc ^ *instrument_previous_pc_addr;
 
   instrument_increment_map(edge);
 
@@ -136,7 +143,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
   previous_end = current_end;
 
   gsize map_size_pow2 = util_log2(__afl_map_size);
-  instrument_previous_pc = util_rotate(current_pc, 1, map_size_pow2);
+  *instrument_previous_pc_addr = util_rotate(current_pc, 1, map_size_pow2);
 
 }
 
@@ -393,7 +400,11 @@ GumStalkerTransformer *instrument_get_transformer(void) {
 
 void instrument_on_fork() {
 
-  instrument_previous_pc = instrument_hash_zero;
+  if (instrument_previous_pc_addr != NULL) {
+
+    *instrument_previous_pc_addr = instrument_hash_zero;
+
+  }
 
 }
 
diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c
index 27142f1f..f5557bb8 100644
--- a/frida_mode/src/instrument/instrument_arm64.c
+++ b/frida_mode/src/instrument/instrument_arm64.c
@@ -155,10 +155,23 @@ void instrument_coverage_optimize(const cs_insn *   instr,
   afl_log_code    code = {0};
   GumArm64Writer *cw = output->writer.arm64;
   guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address));
-  gsize      map_size_pow2;
-  gsize      area_offset_ror;
+  gsize   map_size_pow2;
+  gsize   area_offset_ror;
   GumAddress code_addr = 0;
 
+  if (instrument_previous_pc_addr == NULL) {
+
+    GumAddressSpec spec = {.near_address = cw->code,
+                           .max_distance = 1ULL << 30};
+
+    instrument_previous_pc_addr = gum_memory_allocate_near(
+        &spec, sizeof(guint64), 0x1000, GUM_PAGE_READ | GUM_PAGE_WRITE);
+    *instrument_previous_pc_addr = instrument_hash_zero;
+    FVERBOSE("instrument_previous_pc_addr: %p", instrument_previous_pc_addr);
+    FVERBOSE("code_addr: %p", cw->code);
+
+  }
+
   // gum_arm64_writer_put_brk_imm(cw, 0x0);
 
   code_addr = cw->pc;
@@ -170,13 +183,13 @@ void instrument_coverage_optimize(const cs_insn *   instr,
    * 64KB in size, then it should also end on a 64 KB boundary. It is followed
    * by our previous_pc, so this too should be 64KB aligned.
    */
-  g_assert(PAGE_ALIGNED(&instrument_previous_pc));
+  g_assert(PAGE_ALIGNED(instrument_previous_pc_addr));
   g_assert(PAGE_ALIGNED(__afl_area_ptr));
 
   instrument_patch_ardp(
       &code.code.adrp_x0_prev_loc1,
       code_addr + offsetof(afl_log_code, code.adrp_x0_prev_loc1),
-      GUM_ADDRESS(&instrument_previous_pc));
+      GUM_ADDRESS(instrument_previous_pc_addr));
 
   code.code.mov_x0_curr_loc |= area_offset << 5;
 
@@ -191,7 +204,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,
   instrument_patch_ardp(
       &code.code.adrp_x0_prev_loc2,
       code_addr + offsetof(afl_log_code, code.adrp_x0_prev_loc2),
-      GUM_ADDRESS(&instrument_previous_pc));
+      GUM_ADDRESS(instrument_previous_pc_addr));
 
   code.code.mov_x1_curr_loc_shr_1 |= (area_offset_ror << 5);
 
@@ -214,7 +227,6 @@ void instrument_coverage_optimize_init(void) {
   }
 
   FVERBOSE("__afl_area_ptr: %p", __afl_area_ptr);
-  FVERBOSE("instrument_previous_pc: %p", &instrument_previous_pc);
 
 }
 
diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c
index b7b6ca6f..0ea4f7f0 100644
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@@ -360,7 +360,6 @@ void instrument_coverage_optimize_init(void) {
   }
 
   FVERBOSE("__afl_area_ptr: %p", __afl_area_ptr);
-  FVERBOSE("instrument_previous_pc: %p", &instrument_previous_pc);
 
 }
 
@@ -439,6 +438,18 @@ void instrument_coverage_optimize(const cs_insn *   instr,
   gsize   map_size_pow2;
   gsize   area_offset_ror;
   GumAddress code_addr = 0;
+  if (instrument_previous_pc_addr == NULL) {
+
+    GumAddressSpec spec = {.near_address = cw->code,
+                           .max_distance = 1ULL << 30};
+
+    instrument_previous_pc_addr = gum_memory_allocate_near(
+        &spec, sizeof(guint64), 0x1000, GUM_PAGE_READ | GUM_PAGE_WRITE);
+    *instrument_previous_pc_addr = instrument_hash_zero;
+    FVERBOSE("instrument_previous_pc_addr: %p", instrument_previous_pc_addr);
+    FVERBOSE("code_addr: %p", cw->code);
+
+  }
 
   instrument_coverage_suppress_init();
 
@@ -462,7 +473,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,
   *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) = (guint32)(area_offset_ror);
 
   gssize prev_loc_value =
-      GPOINTER_TO_SIZE(&instrument_previous_pc) -
+      GPOINTER_TO_SIZE(instrument_previous_pc_addr) -
       (code_addr + offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) +
        sizeof(code.code.mov_prev_loc_curr_loc_shr1));
   gssize prev_loc_value_offset =
@@ -478,7 +489,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,
   *((gint *)&code.bytes[prev_loc_value_offset]) = (gint)prev_loc_value;
 
   gssize prev_loc_value2 =
-      GPOINTER_TO_SIZE(&instrument_previous_pc) -
+      GPOINTER_TO_SIZE(instrument_previous_pc_addr) -
       (code_addr + offsetof(afl_log_code, code.mov_eax_prev_loc) +
        sizeof(code.code.mov_eax_prev_loc));
   gssize prev_loc_value_offset2 =
diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c
index ad837e2d..c4e93324 100644
--- a/frida_mode/src/instrument/instrument_x86.c
+++ b/frida_mode/src/instrument/instrument_x86.c
@@ -153,6 +153,19 @@ void instrument_coverage_optimize(const cs_insn *   instr,
   gsize   map_size_pow2;
   gsize   area_offset_ror;
 
+  if (instrument_previous_pc_addr == NULL) {
+
+    GumAddressSpec spec = {.near_address = cw->code,
+                           .max_distance = 1ULL << 30};
+
+    instrument_previous_pc_addr = gum_memory_allocate_near(
+        &spec, sizeof(guint64), 0x1000, GUM_PAGE_READ | GUM_PAGE_WRITE);
+    *instrument_previous_pc_addr = instrument_hash_zero;
+    FVERBOSE("instrument_previous_pc_addr: %p", instrument_previous_pc_addr);
+    FVERBOSE("code_addr: %p", cw->code);
+
+  }
+
   code.code = template;
 
   instrument_coverage_suppress_init();
@@ -170,7 +183,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,
       sizeof(code.code.mov_eax_prev_loc) - sizeof(gint);
 
   *((gint *)&code.bytes[prev_loc_value_offset2]) =
-      (gint)GPOINTER_TO_SIZE(&instrument_previous_pc);
+      (gint)GPOINTER_TO_SIZE(instrument_previous_pc_addr);
 
   gssize curr_loc_shr_1_offset =
       offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) +
@@ -187,7 +200,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,
       sizeof(guint32);
 
   *((gint *)&code.bytes[prev_loc_value_offset]) =
-      (gint)GPOINTER_TO_SIZE(&instrument_previous_pc);
+      (gint)GPOINTER_TO_SIZE(instrument_previous_pc_addr);
 
   gssize xor_curr_loc_offset = offsetof(afl_log_code, code.xor_eax_curr_loc) +
                                sizeof(code.code.xor_eax_curr_loc) -
diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c
index 48f29bb0..16ecf39c 100644
--- a/frida_mode/src/persistent/persistent_arm64.c
+++ b/frida_mode/src/persistent/persistent_arm64.c
@@ -236,7 +236,13 @@ static void instrument_exit(GumArm64Writer *cw) {
 static int instrument_afl_persistent_loop_func(void) {
 
   int ret = __afl_persistent_loop(persistent_count);
-  instrument_previous_pc = instrument_hash_zero;
+  if (instrument_previous_pc_addr == NULL) {
+
+    FATAL("instrument_previous_pc_addr uninitialized");
+
+  }
+
+  *instrument_previous_pc_addr = instrument_hash_zero;
   return ret;
 
 }
diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c
index 13d6a090..56141787 100644
--- a/frida_mode/src/persistent/persistent_x64.c
+++ b/frida_mode/src/persistent/persistent_x64.c
@@ -173,7 +173,13 @@ static void instrument_exit(GumX86Writer *cw) {
 static int instrument_afl_persistent_loop_func(void) {
 
   int ret = __afl_persistent_loop(persistent_count);
-  instrument_previous_pc = instrument_hash_zero;
+  if (instrument_previous_pc_addr == NULL) {
+
+    FATAL("instrument_previous_pc_addr uninitialized");
+
+  }
+
+  *instrument_previous_pc_addr = instrument_hash_zero;
   return ret;
 
 }
diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c
index 3fe5891c..76c25334 100644
--- a/frida_mode/src/persistent/persistent_x86.c
+++ b/frida_mode/src/persistent/persistent_x86.c
@@ -130,7 +130,13 @@ static void instrument_exit(GumX86Writer *cw) {
 static int instrument_afl_persistent_loop_func(void) {
 
   int ret = __afl_persistent_loop(persistent_count);
-  instrument_previous_pc = instrument_hash_zero;
+  if (instrument_previous_pc_addr == NULL) {
+
+    FATAL("instrument_previous_pc_addr uninitialized");
+
+  }
+
+  *instrument_previous_pc_addr = instrument_hash_zero;
   return ret;
 
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-22 18:18:22 +0000