about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docs/Changelog.md2
-rw-r--r--examples/afl_frida/README.md10
-rw-r--r--examples/afl_frida/afl-frida.c8
3 files changed, 13 insertions, 7 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 8fb85ce6..50f5629f 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -18,6 +18,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
      - LTO: autodictionary mode is a default
      - LTO: instrim instrumentation disabled, only classic support used
             as it is always better
+  - added afl-frida gum solution to examples/afl_frida (mostly imported
+    from https://github.com/meme/hotwax/)
   - small fixes to afl-plot, afl-whatsup and man page creation
 
 
diff --git a/examples/afl_frida/README.md b/examples/afl_frida/README.md
index 93e8f35a..33bd67c8 100644
--- a/examples/afl_frida/README.md
+++ b/examples/afl_frida/README.md
@@ -24,14 +24,10 @@ afl-fuzz -i in -o out -- ./afl-frida
 ```
 (or even remote via afl-network-proxy).
 
-### Testing and debugging
+# Speed and stability
 
-For testing/debugging you can try:
-```
-make DEBUG=1
-AFL_DEBUG=1 gdb ./afl-frida
-```
-and then you can easily set breakpoints to "breakpoint" and "fuzz".
+The speed is very good, about x12 of fork() qemu_mode.
+However the stability is low. Reason is currently unknown.
 
 # Background
 
diff --git a/examples/afl_frida/afl-frida.c b/examples/afl_frida/afl-frida.c
index c24e05b7..ff10ffb7 100644
--- a/examples/afl_frida/afl-frida.c
+++ b/examples/afl_frida/afl-frida.c
@@ -39,6 +39,7 @@
 
 #ifndef __APPLE__
   #include <sys/wait.h>
+  #include <sys/personality.h>
 #endif
 
 
@@ -216,6 +217,10 @@ static int enumerate_ranges(const GumRangeDetails *details,
 
 int main() {
 
+#ifndef __APPLE__
+  (void)personality(ADDR_NO_RANDOMIZE);  // disable ASLR
+#endif
+
   // STEP 2: load the library you want to fuzz and lookup the functions,
   //         inclusive of the cleanup functions.
   //         If there is just one function, then there is nothing to change
@@ -264,6 +269,9 @@ int main() {
 
   GumEventSink *event_sink = gum_fake_event_sink_new();
 
+  // to ensure that the signatures are not optimized out
+  memcpy(__afl_area_ptr, (void*)AFL_PERSISTENT, sizeof(AFL_PERSISTENT) + 1);
+  memcpy(__afl_area_ptr + 32, (void*)AFL_DEFER_FORKSVR, sizeof(AFL_DEFER_FORKSVR) + 1);
   __afl_manual_init();
 
   //
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-17 12:00:28 +0000