about summary refs log tree commit diff
path: root/utils
diff options
context:
space:
mode:
Diffstat (limited to 'utils')
-rw-r--r--utils/README.md6
-rw-r--r--utils/afl_network_proxy/README.md21
-rw-r--r--utils/afl_untracer/README.md16
-rw-r--r--utils/aflpp_driver/README.md30
-rw-r--r--utils/argv_fuzzing/README.md4
-rw-r--r--utils/autodict_ql/readme.md185
-rw-r--r--utils/libdislocator/README.md37
-rw-r--r--utils/libtokencap/README.md8
-rw-r--r--utils/optimin/README.md10
-rwxr-xr-xutils/qbdi_mode/README.md23
-rw-r--r--utils/qemu_persistent_hook/README.md2
11 files changed, 200 insertions, 142 deletions
diff --git a/utils/README.md b/utils/README.md
index b8df0b47..debc86e8 100644
--- a/utils/README.md
+++ b/utils/README.md
@@ -13,10 +13,10 @@ Here's a quick overview of the stuff you can find in this directory:
 
   - afl_proxy            - skeleton file example to show how to fuzz
                            something where you gather coverage data via
-                           different means, e.g. hw debugger
+                           different means, e.g., hw debugger
 
   - afl_untracer         - fuzz binary-only libraries much faster but with
-                           less coverage than qemu_mode
+                           less coverage than QEMU mode
 
   - analysis_scripts     - random -o out analysis scripts
 
@@ -48,7 +48,7 @@ Here's a quick overview of the stuff you can find in this directory:
   - defork               - intercept fork() in targets
 
   - distributed_fuzzing  - a sample script for synchronizing fuzzer instances
-                           across multiple machines (see parallel_fuzzing.md).
+                           across multiple machines.
 
   - libdislocator        - like ASAN but lightweight.
 
diff --git a/utils/afl_network_proxy/README.md b/utils/afl_network_proxy/README.md
index 05659c45..c34463e2 100644
--- a/utils/afl_network_proxy/README.md
+++ b/utils/afl_network_proxy/README.md
@@ -1,12 +1,13 @@
 # afl-network-proxy
 
-If you want to run afl-fuzz over the network than this is what you need :)
+If you want to run afl-fuzz over the network, then this is what you need. :)
 Note that the impact on fuzzing speed will be huge, expect a loss of 90%.
 
 ## When to use this
 
 1. when you have to fuzz a target that has to run on a system that cannot
-   contain the fuzzing output (e.g. /tmp too small and file system is read-only)
+   contain the fuzzing output (e.g., /tmp too small and file system is
+   read-only)
 2. when the target instantly reboots on crashes
 3. ... any other reason you would need this
 
@@ -28,32 +29,34 @@ For most targets this hurts performance though so it is disabled by default.
 Run `afl-network-server` with your target with the -m and -t values you need.
 Important is the -i parameter which is the TCP port to listen on.
 e.g.:
+
 ```
 afl-network-server -i 1111 -m 25M -t 1000 -- /bin/target -f @@
 ```
 
 ### on the (afl-fuzz) main node
 
-Just run afl-fuzz with your normal options, however the target should be
+Just run afl-fuzz with your normal options, however, the target should be
 `afl-network-client` with the IP and PORT of the `afl-network-server` and
 increase the -t value:
+
 ```
 afl-fuzz -i in -o out -t 2000+ -- afl-network-client TARGET-IP 1111
 ```
-Note the '+' on the -t parameter value. The afl-network-server will take
-care of proper timeouts hence afl-fuzz should not. The '+' increases the
-timeout and the value itself should be 500-1000 higher than the one on 
-afl-network-server.
+
+Note the '+' on the -t parameter value. The afl-network-server will take care of
+proper timeouts hence afl-fuzz should not. The '+' increases the timeout and the
+value itself should be 500-1000 higher than the one on afl-network-server.
 
 ### networking
 
 The TARGET can be an IPv4 or IPv6 address, or a host name that resolves to
 either. Note that also the outgoing interface can be specified with a '%' for
-`afl-network-client`, e.g. `fe80::1234%eth0`.
+`afl-network-client`, e.g., `fe80::1234%eth0`.
 
 Also make sure your default TCP window size is larger than your MAP_SIZE
 (130kb is a good value).
-On Linux that is the middle value of `/proc/sys/net/ipv4/tcp_rmem` 
+On Linux that is the middle value of `/proc/sys/net/ipv4/tcp_rmem`
 
 ## how to compile and install
 
diff --git a/utils/afl_untracer/README.md b/utils/afl_untracer/README.md
index ada0c916..da0e0c77 100644
--- a/utils/afl_untracer/README.md
+++ b/utils/afl_untracer/README.md
@@ -5,9 +5,9 @@
 afl-untracer is an example skeleton file which can easily be used to fuzz
 a closed source library.
 
-It requires less memory and is x3-5 faster than qemu_mode however it is way
-more course grained and does not provide interesting features like compcov
-or cmplog.
+It requires less memory and is x3-5 faster than QEMU mode, however, it is way
+more course grained and does not provide interesting features like compcov or
+cmplog.
 
 Supported is so far Intel (i386/x86_64) and AARCH64.
 
@@ -15,7 +15,7 @@ Supported is so far Intel (i386/x86_64) and AARCH64.
 
 ### Modify afl-untracer.c
 
-Read and modify afl-untracer.c then `make`.
+Read and modify afl-untracer.c, then `make`.
 To adapt afl-untracer.c to your needs, read the header of the file and then
 search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations.
 
@@ -28,28 +28,34 @@ To generate the `patches.txt` file for your target library use the
 The patches.txt file has to be pointed to by `AFL_UNTRACER_FILE`.
 
 To easily run the scripts without needing to run the GUI with Ghidra:
+
 ```
 /opt/ghidra/support/analyzeHeadless /tmp/ tmp$$ -import libtestinstr.so -postscript ./ghidra_get_patchpoints.java
 rm -rf /tmp/tmp$$
 ```
+
 The file is created at `~/Desktop/patches.txt`
 
 ### Fuzzing
 
 Example (after modifying afl-untracer.c to your needs, compiling and creating
 patches.txt):
+
 ```
 LD_LIBRARY_PATH=/path/to/target/library AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer
 ```
+
 (or even remote via afl-network-proxy).
 
 ### Testing and debugging
 
 For testing/debugging you can try:
+
 ```
 make DEBUG=1
 AFL_UNTRACER_FILE=./patches.txt AFL_DEBUG=1 gdb ./afl-untracer
 ```
+
 and then you can easily set breakpoints to "breakpoint" and "fuzz".
 
 # Background
@@ -57,4 +63,4 @@ and then you can easily set breakpoints to "breakpoint" and "fuzz".
 This idea is based on [UnTracer](https://github.com/FoRTE-Research/UnTracer-AFL)
 and modified by [Trapfuzz](https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz).
 This implementation is slower because the traps are not patched out with each
-run, but on the other hand gives much better coverage information.
+run, but on the other hand gives much better coverage information.
\ No newline at end of file
diff --git a/utils/aflpp_driver/README.md b/utils/aflpp_driver/README.md
index 4560be2b..c547aaea 100644
--- a/utils/aflpp_driver/README.md
+++ b/utils/aflpp_driver/README.md
@@ -5,27 +5,27 @@
 aflpp_driver is used to compile directly libfuzzer `LLVMFuzzerTestOneInput()`
 targets.
 
-Just do `afl-clang-fast++ -o fuzz fuzzer_harness.cc libAFLDriver.a [plus required linking]`.
+Just do `afl-clang-fast++ -o fuzz fuzzer_harness.cc libAFLDriver.a [plus
+required linking]`.
 
-You can also sneakily do this little trick:
-If this is the clang compile command to build for libfuzzer:
-  `clang++ -o fuzz -fsanitize=fuzzer fuzzer_harness.cc -lfoo`
-then just switch `clang++` with `afl-clang-fast++` and our compiler will
+You can also sneakily do this little trick: If this is the clang compile command
+to build for libfuzzer: `clang++ -o fuzz -fsanitize=fuzzer fuzzer_harness.cc
+-lfoo`, then just switch `clang++` with `afl-clang-fast++` and our compiler will
 magically insert libAFLDriver.a :)
 
-To use shared-memory test cases, you need nothing to do.
-To use stdin test cases, give `-` as the only command line parameter.
-To use file input test cases, give `@@` as the only command line parameter.
+To use shared-memory test cases, you need nothing to do. To use stdin test
+cases, give `-` as the only command line parameter. To use file input test
+cases, give `@@` as the only command line parameter.
 
-IMPORTANT: if you use `afl-cmin` or `afl-cmin.bash` then either pass `-`
-or `@@` as command line parameters.
+IMPORTANT: if you use `afl-cmin` or `afl-cmin.bash`, then either pass `-` or
+`@@` as command line parameters.
 
 ## aflpp_qemu_driver
 
-Note that you can use the driver too for frida_mode (`-O`).
+Note that you can use the driver too for FRIDA mode (`-O`).
 
 aflpp_qemu_driver is used for libfuzzer `LLVMFuzzerTestOneInput()` targets that
-are to be fuzzed in qemu_mode. So we compile them with clang/clang++, without
+are to be fuzzed in QEMU mode. So compile them with clang/clang++, without
 -fsantize=fuzzer or afl-clang-fast, and link in libAFLQemuDriver.a:
 
 `clang++ -o fuzz fuzzer_harness.cc libAFLQemuDriver.a [plus required linking]`.
@@ -38,6 +38,6 @@ AFL_QEMU_PERSISTENT_HOOK=/path/to/aflpp_qemu_driver_hook.so afl-fuzz -Q ... -- .
 ```
 
 if you use afl-cmin or `afl-showmap -C` with the aflpp_qemu_driver you need to
-set the set same AFL_QEMU_... (or AFL_FRIDA_...) environment variables.
-If you want to use afl-showmap (without -C) or afl-cmin.bash then you may not
-set these environment variables and rather set `AFL_QEMU_DRIVER_NO_HOOK=1`.
\ No newline at end of file
+set the set same AFL_QEMU_... (or AFL_FRIDA_...) environment variables. If you
+want to use afl-showmap (without -C) or afl-cmin.bash, then you may not set
+these environment variables and rather set `AFL_QEMU_DRIVER_NO_HOOK=1`.
\ No newline at end of file
diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md
index 192d72f7..e9224995 100644
--- a/utils/argv_fuzzing/README.md
+++ b/utils/argv_fuzzing/README.md
@@ -1,6 +1,6 @@
 # argvfuzz
 
-AFL supports fuzzing file inputs or stdin. When source is available,
+AFL++ supports fuzzing file inputs or stdin. When source is available,
 `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin.
 
 `argvfuzz` tries to provide the same functionality for binaries. When loaded
@@ -13,4 +13,4 @@ A few conditions need to be fulfilled for this mechanism to work correctly:
 2. If the target binary does not use the default libc's `_start` implementation
    (crt1.o), the hook may not run.
 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the
-   target binary expects argv to be living on the stack, things may go wrong.
+   target binary expects argv to be living on the stack, things may go wrong.
\ No newline at end of file
diff --git a/utils/autodict_ql/readme.md b/utils/autodict_ql/readme.md
index 9170f552..f61026b7 100644
--- a/utils/autodict_ql/readme.md
+++ b/utils/autodict_ql/readme.md
@@ -2,21 +2,35 @@
 
 ## What is this?
 
-`Autodict-QL` is a plugin system that enables fast generation of Tokens/Dictionaries in a handy way that can be manipulated by the user (unlike The LLVM Passes that are hard to modify). This means that autodict-ql is a scriptable feature which basically uses CodeQL (a powerful semantic code analysis engine) to fetch information from a code base.
+`Autodict-QL` is a plugin system that enables fast generation of
+Tokens/Dictionaries in a handy way that can be manipulated by the user (unlike
+The LLVM Passes that are hard to modify). This means that autodict-ql is a
+scriptable feature which basically uses CodeQL (a powerful semantic code
+analysis engine) to fetch information from a code base.
 
-Tokens are useful when you perform fuzzing on different parsers. The AFL++ `-x` switch enables the usage of dictionaries through your fuzzing campaign. If you are not familiar with Dictionaries in fuzzing, take a look [here](https://github.com/AFLplusplus/AFLplusplus/tree/stable/dictionaries) .
+Tokens are useful when you perform fuzzing on different parsers. The AFL++ `-x`
+switch enables the usage of dictionaries through your fuzzing campaign. If you
+are not familiar with Dictionaries in fuzzing, take a look
+[here](https://github.com/AFLplusplus/AFLplusplus/tree/stable/dictionaries).
 
+## Why CodeQL?
 
-## Why CodeQL ?
-We basically developed this plugin on top of the CodeQL engine because it gives the user scripting features, it's easier and it's independent of the LLVM system. This means that a user can write his CodeQL scripts or modify the current scripts to improve or change the token generation algorithms based on different program analysis concepts.
-
+We basically developed this plugin on top of the CodeQL engine because it gives
+the user scripting features, it's easier and it's independent of the LLVM
+system. This means that a user can write his CodeQL scripts or modify the
+current scripts to improve or change the token generation algorithms based on
+different program analysis concepts.
 
 ## CodeQL scripts
-Currently, we pushed some scripts as defaults for Token generation. In addition, we provide every CodeQL script as an standalone script because it's easier to modify or test.
 
-Currently we provided the following CodeQL scripts :
+Currently, we pushed some scripts as defaults for Token generation. In addition,
+we provide every CodeQL script as an standalone script because it's easier to
+modify or test.
+
+Currently we provided the following CodeQL scripts:
 
-`strcmp-str.ql` is used to extract strings that are related to the `strcmp` function.
+`strcmp-str.ql` is used to extract strings that are related to the `strcmp`
+function.
 
 `strncmp-str.ql` is used to extract the strings from the `strncmp` function.
 
@@ -24,77 +38,110 @@ Currently we provided the following CodeQL scripts :
 
 `litool.ql` extracts Magic numbers as Hexadecimal format.
 
-`strtool.ql` extracts strings with uses of a regex and dataflow concept to capture the string comparison functions. If `strcmp` is rewritten in a project as Mystrcmp or something like strmycmp, then this script can catch the arguments and these are valuable tokens.
-
-You can write other CodeQL scripts to extract possible effective tokens if you think they can be useful.
+`strtool.ql` extracts strings with uses of a regex and dataflow concept to
+capture the string comparison functions. If `strcmp` is rewritten in a project
+as Mystrcmp or something like strmycmp, then this script can catch the arguments
+and these are valuable tokens.
 
+You can write other CodeQL scripts to extract possible effective tokens if you
+think they can be useful.
 
 ## Usage
 
-Before you proceed to installation make sure that you have the following packages by installing them :
-```shell
-sudo apt install build-essential libtool-bin python3-dev python3 automake git vim wget -y
-```
-The usage of Autodict-QL is pretty easy. But let's describe it as:
+Before you proceed to installation make sure that you have the following
+packages by installing them:
 
-1. First of all, you need to have CodeQL installed on the system. we make this possible with `build-codeql.sh` bash script. This script will install CodeQL completety and will set the required environment variables for your system.
-Do the following :
 ```shell
-# chmod +x codeql-build.sh
-# ./codeql-build.sh
-# source ~/.bashrc
-# codeql 
+sudo apt install build-essential libtool-bin python3-dev python3 automake git vim wget -y
 ```
-Then you should get:
 
-```shell
-Usage: codeql <command> <argument>...
-Create and query CodeQL databases, or work with the QL language.
-
-GitHub makes this program freely available for the analysis of open-source software and certain other uses, but it is
-not itself free software. Type codeql --license to see the license terms.
-
-      --license              Show the license terms for the CodeQL toolchain.
-Common options:
-  -h, --help                 Show this help text.
-  -v, --verbose              Incrementally increase the number of progress messages printed.
-  -q, --quiet                Incrementally decrease the number of progress messages printed.
-Some advanced options have been hidden; try --help -v for a fuller view.
-Commands:
-  query     Compile and execute QL code.
-  bqrs      Get information from .bqrs files.
-  database  Create, analyze and process CodeQL databases.
-  dataset   [Plumbing] Work with raw QL datasets.
-  test      Execute QL unit tests.
-  resolve   [Deep plumbing] Helper commands to resolve disk locations etc.
-  execute   [Deep plumbing] Low-level commands that need special JVM options.
-  version   Show the version of the CodeQL toolchain.
-  generate  Generate formatted QL documentation.
-  github    Commands useful for interacting with the GitHub API through CodeQL.
-```
+The usage of Autodict-QL is pretty easy. But let's describe it as:
 
-2. Compile your project with CodeQL: For using the Autodict-QL plugin, you need to compile the source of the target you want to fuzz with CodeQL. This is not something hard.
-	- First you need to create a CodeQL database of the project codebase, suppose we want to compile `libxml` with codeql. Go to libxml and issue the following commands:
-		- `./configure --disable-shared`
-		- `codeql create database libxml-db --language=cpp --command=make`
-			- Now you have the CodeQL database of the project :-)
-3. The final step is to update the CodeQL database you created in step 2 (Suppose we are in `aflplusplus/utils/autodict_ql/` directory):
-	- `codeql database upgrade /home/user/libxml/libxml-db`
+1. First of all, you need to have CodeQL installed on the system. We make this
+   possible with `build-codeql.sh` bash script. This script will install CodeQL
+   completety and will set the required environment variables for your system.
+   Do the following:
+
+    ```shell
+    # chmod +x codeql-build.sh
+    # ./codeql-build.sh
+    # source ~/.bashrc
+    # codeql
+    ```
+
+    Then you should get:
+
+    ```shell
+    Usage: codeql <command> <argument>...
+    Create and query CodeQL databases, or work with the QL language.
+
+    GitHub makes this program freely available for the analysis of open-source software and certain other uses, but it is
+    not itself free software. Type codeql --license to see the license terms.
+
+          --license              Show the license terms for the CodeQL toolchain.
+    Common options:
+      -h, --help                 Show this help text.
+      -v, --verbose              Incrementally increase the number of progress messages printed.
+      -q, --quiet                Incrementally decrease the number of progress messages printed.
+    Some advanced options have been hidden; try --help -v for a fuller view.
+    Commands:
+      query     Compile and execute QL code.
+      bqrs      Get information from .bqrs files.
+      database  Create, analyze and process CodeQL databases.
+      dataset   [Plumbing] Work with raw QL datasets.
+      test      Execute QL unit tests.
+      resolve   [Deep plumbing] Helper commands to resolve disk locations etc.
+      execute   [Deep plumbing] Low-level commands that need special JVM options.
+      version   Show the version of the CodeQL toolchain.
+      generate  Generate formatted QL documentation.
+      github    Commands useful for interacting with the GitHub API through CodeQL.
+    ```
+
+2. Compile your project with CodeQL: For using the Autodict-QL plugin, you need
+   to compile the source of the target you want to fuzz with CodeQL. This is not
+   something hard.
+   - First you need to create a CodeQL database of the project codebase, suppose
+     we want to compile `libxml` with codeql. Go to libxml and issue the
+     following commands:
+     - `./configure --disable-shared`
+     - `codeql create database libxml-db --language=cpp --command=make`
+       - Now you have the CodeQL database of the project :-)
+3. The final step is to update the CodeQL database you created in step 2
+   (Suppose we are in `aflplusplus/utils/autodict_ql/` directory):
+   - `codeql database upgrade /home/user/libxml/libxml-db`
 4. Everything is set! Now you should issue the following to get the tokens:
-	- `python3 autodict-ql.py [CURRECT_DIR] [CODEQL_DATABASE_PATH] [TOKEN_PATH]`
-		- example : `python3 /home/user/AFLplusplus/utils/autodict_ql/autodict-ql.py $PWD /home/user/libxml/libxml-db tokens`
-			- This will create the final `tokens` dir for you and you are done, then pass the tokens path to AFL++'s `-x` flag.
-5. Done! 
-
+   - `python3 autodict-ql.py [CURRECT_DIR] [CODEQL_DATABASE_PATH] [TOKEN_PATH]`
+     - example: `python3 /home/user/AFLplusplus/utils/autodict_ql/autodict-ql.py
+       $PWD /home/user/libxml/libxml-db tokens`
+       - This will create the final `tokens` dir for you and you are done, then
+         pass the tokens path to AFL++'s `-x` flag.
+5. Done!
 
 ## More on dictionaries and tokens
-Core developer of the AFL++ project Marc Heuse also developed a similar tool named `dict2file` which is a LLVM pass which can automatically extract useful tokens, in addition with LTO instrumentation mode, this dict2file is automatically generates token extraction. `Autodict-QL` plugin gives you scripting capability and you can do whatever you want to extract from the Codebase and it's up to you. In addition it's independent from LLVM system.
-On the other hand, you can also use Google dictionaries which have been made public in May 2020, but the problem of using Google dictionaries is that they are limited to specific file formats and specifications. For example, for testing binutils and ELF file format or AVI in FFMPEG, there are no prebuilt dictionaries, so it is highly recommended to use `Autodict-QL` or `Dict2File` features to automatically generate dictionaries based on the target.
-
-I've personally prefered to use `Autodict-QL` or `dict2file` rather than Google dictionaries or any other manually generated dictionaries as `Autodict-QL` and `dict2file` are working based on the target.
-In overall, fuzzing with dictionaries and well-generated tokens will give better results.
-
-There are 2 important points to remember :
 
-- If you combine `Autodict-QL` with AFL++ cmplog, you will get much better code coverage and hence better chances to discover new bugs.
-- Do not forget to set `AFL_MAX_DET_EXTRAS` at least to the number of generated dictionaries. If you forget to set this environment variable, then AFL++ uses just 200 tokens and use the rest of them only probabilistically. So this will guarantee that your tokens will be used by AFL++.
+Core developer of the AFL++ project Marc Heuse also developed a similar tool
+named `dict2file` which is a LLVM pass which can automatically extract useful
+tokens, in addition with LTO instrumentation mode, this dict2file is
+automatically generates token extraction. `Autodict-QL` plugin gives you
+scripting capability and you can do whatever you want to extract from the
+Codebase and it's up to you. In addition it's independent from LLVM system. On
+the other hand, you can also use Google dictionaries which have been made public
+in May 2020, but the problem of using Google dictionaries is that they are
+limited to specific file formats and specifications. For example, for testing
+binutils and ELF file format or AVI in FFMPEG, there are no pre-built
+dictionaries, so it is highly recommended to use `Autodict-QL` or `Dict2File`
+features to automatically generate dictionaries based on the target.
+
+I've personally preferred to use `Autodict-QL` or `dict2file` rather than Google
+dictionaries or any other manually generated dictionaries as `Autodict-QL` and
+`dict2file` are working based on the target. In overall, fuzzing with
+dictionaries and well-generated tokens will give better results.
+
+There are 2 important points to remember:
+
+- If you combine `Autodict-QL` with AFL++ cmplog, you will get much better code
+  coverage and hence better chances to discover new bugs.
+- Do not forget to set `AFL_MAX_DET_EXTRAS` at least to the number of generated
+  dictionaries. If you forget to set this environment variable, then AFL++ uses
+  just 200 tokens and use the rest of them only probabilistically. So this will
+  guarantee that your tokens will be used by AFL++.
\ No newline at end of file
diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md
index d0340af0..7150c205 100644
--- a/utils/libdislocator/README.md
+++ b/utils/libdislocator/README.md
@@ -10,8 +10,8 @@ heap-related security bugs in several ways:
     subsequent PROT_NONE page, causing most off-by-one reads and writes to
     immediately segfault,
 
-  - It adds a canary immediately below the allocated buffer, to catch writes
-    to negative offsets (won't catch reads, though),
+  - It adds a canary immediately below the allocated buffer, to catch writes to
+    negative offsets (won't catch reads, though),
 
   - It sets the memory returned by malloc() to garbage values, improving the
     odds of crashing when the target accesses uninitialized data,
@@ -19,37 +19,36 @@ heap-related security bugs in several ways:
   - It sets freed memory to PROT_NONE and does not actually reuse it, causing
     most use-after-free bugs to segfault right away,
 
-  - It forces all realloc() calls to return a new address - and sets
-    PROT_NONE on the original block. This catches use-after-realloc bugs,
+  - It forces all realloc() calls to return a new address - and sets PROT_NONE
+    on the original block. This catches use-after-realloc bugs,
 
-  - It checks for calloc() overflows and can cause soft or hard failures
-    of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB,
+  - It checks for calloc() overflows and can cause soft or hard failures of
+    alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB,
     AFL_LD_HARD_FAIL).
 
   - Optionally, in platforms supporting it, huge pages can be used by passing
     USEHUGEPAGE=1 to make.
-  
-  - Size alignment to `max_align_t` can be enforced with AFL_ALIGNED_ALLOC=1.
-    In this case, a tail canary is inserted in the padding bytes at the end
-    of the allocated zone. This reduce the ability of libdislocator to detect
+
+  - Size alignment to `max_align_t` can be enforced with AFL_ALIGNED_ALLOC=1. In
+    this case, a tail canary is inserted in the padding bytes at the end of the
+    allocated zone. This reduce the ability of libdislocator to detect
     off-by-one bugs but also it make slibdislocator compliant to the C standard.
 
 Basically, it is inspired by some of the non-default options available for the
 OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is
-also somewhat similar to several other debugging libraries, such as gmalloc
-and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing
-jobs.
+also somewhat similar to several other debugging libraries, such as gmalloc and
+DUMA - but is simple, plug-and-play, and designed specifically for fuzzing jobs.
 
 Note that it does nothing for stack-based memory handling errors. The
 -fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN,
 can catch some subset of that.
 
 The allocator is slow and memory-intensive (even the tiniest allocation uses up
-4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitable
-for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN
-when fuzzing small, self-contained binaries.
+4 kB of physical memory and 8 kB of virtual mem), making it completely
+unsuitable for "production" uses; but it can be faster and more hassle-free than
+ASAN / MSAN when fuzzing small, self-contained binaries.
 
-To use this library, run AFL like so:
+To use this library, run AFL++ like so:
 
 ```
 AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...]
@@ -62,7 +61,7 @@ Similarly to afl-tmin, the library is not "proprietary" and can be used with
 other fuzzers or testing tools without the need for any code tweaks. It does not
 require AFL-instrumented binaries to work.
 
-Note that the AFL_PRELOAD approach (which AFL internally maps to LD_PRELOAD or
+Note that the AFL_PRELOAD approach (which AFL++ internally maps to LD_PRELOAD or
 DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is
 dynamically linked. Otherwise, attempting to use the library will have no
-effect.
+effect.
\ No newline at end of file
diff --git a/utils/libtokencap/README.md b/utils/libtokencap/README.md
index a39ed3a5..343fcce0 100644
--- a/utils/libtokencap/README.md
+++ b/utils/libtokencap/README.md
@@ -40,10 +40,10 @@ when using afl-gcc. This setting specifically adds the following flags:
   -fno-builtin-strcasestr
 ```
 
-The next step is simply loading this library via LD_PRELOAD. The optimal usage
-pattern is to allow afl-fuzz to fuzz normally for a while and build up a corpus,
-and then fire off the target binary, with libtokencap.so loaded, on every file
-found by AFL in that earlier run. This demonstrates the basic principle:
+The next step is to load this library via LD_PRELOAD. The optimal usage pattern
+is to allow afl-fuzz to fuzz normally for a while and build up a corpus, and
+then fire off the target binary, with libtokencap.so loaded, on every file found
+by AFL++ in that earlier run. This demonstrates the basic principle:
 
 ```
   export AFL_TOKEN_FILE=$PWD/temp_output.txt
diff --git a/utils/optimin/README.md b/utils/optimin/README.md
index c6f2af06..340022b8 100644
--- a/utils/optimin/README.md
+++ b/utils/optimin/README.md
@@ -73,11 +73,11 @@ and `WEIGHT_N` is an integer weight.
 
 ## Further Details and Citation
 
-For more details, please see the paper [Seed Selection for Successful
-Fuzzing](https://dl.acm.org/doi/10.1145/3460319.3464795). If you use OptiMin in
-your research, please cite this paper.
+For more details, see the paper
+[Seed Selection for Successful Fuzzing](https://dl.acm.org/doi/10.1145/3460319.3464795).
+If you use OptiMin in your research, please cite this paper.
 
-Bibtex:
+BibTeX:
 
 ```bibtex
 @inproceedings{Herrera:2021:FuzzSeedSelection,
@@ -91,4 +91,4 @@ Bibtex:
   location = {Virtual, Denmark},
   publisher = {Association for Computing Machinery},
 }
-```
+```
\ No newline at end of file
diff --git a/utils/qbdi_mode/README.md b/utils/qbdi_mode/README.md
index 8b768906..08558017 100755
--- a/utils/qbdi_mode/README.md
+++ b/utils/qbdi_mode/README.md
@@ -2,14 +2,13 @@
 
 NOTE: this code is outdated and first would need to be adapted to the current
 AFL++ versions.
-Try frida_mode or fpicker [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) first, maybe they suite your need.
+Try FRIDA mode or fpicker [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) first, maybe they suite your need.
 
 ## 1) Introduction
 
 The code in ./qbdi_mode allows you to build a standalone feature that
 using the QBDI framework to fuzz android native library.
 
-
 ## 2) Build
 
 First download the Android NDK
@@ -34,7 +33,9 @@ For x86 standalone-toolchain
 ./build/tools/make_standalone_toolchain.py --arch x86 --api 21 --install-dir ../android-standalone-toolchain-x86
 ```
 
-In alternative you can also use the prebuilt toolchain, in that case make sure to set the proper CC and CXX env variables because there are many different compilers for each API version in the prebuilt toolchain.
+In alternative you can also use the pre-built toolchain, in that case make sure
+to set the proper CC and CXX environment variables because there are many
+different compilers for each API version in the pre-built toolchain.
 
 For example:
 
@@ -51,6 +52,7 @@ https://qbdi.quarkslab.com/
 ```
 
 For Android x86_64
+
 ```
 https://github.com/QBDI/QBDI/releases/download/v0.7.0/QBDI-0.7.0-android-X86_64.tar.gz
 ```
@@ -64,7 +66,7 @@ cd android-qbdi-sdk-x86_64/
 tar xvf QBDI-0.7.0-android-X86_64.tar.gz
 ```
 
-Now set the `STANDALONE_TOOLCHAIN_PATH` to the path of standalone-toolchain 
+Now set the `STANDALONE_TOOLCHAIN_PATH` to the path of standalone-toolchain
 
 ```
 export STANDALONE_TOOLCHAIN_PATH=/home/hac425/workspace/android-standalone-toolchain-x86_64
@@ -84,7 +86,6 @@ Then run the build.sh
 
 this could build the afl-fuzz and also the qbdi template for android x86_64
 
-
 ### Example
 
 The demo-so.c is an vulnerable library, it has a function for test
@@ -127,9 +128,10 @@ int target_func(char *buf, int size) {
 }
 ```
 
-This could be build to `libdemo.so`.
+This could be built to `libdemo.so`.
+
+Then load the library in template.cpp and find the `target` function address:
 
-Then we should load the library in template.cpp and find the `target` function address.
 ```c
     void *handle = dlopen(lib_path, RTLD_LAZY);
 	..........................................
@@ -138,7 +140,7 @@ Then we should load the library in template.cpp and find the `target` function a
     p_target_func = (target_func)dlsym(handle, "target_func");
 ```
 
-then we read the data from file and call the function in `fuzz_func`
+Then read the data from file and call the function in `fuzz_func`:
 
 ```c
 QBDI_NOINLINE int fuzz_func() {
@@ -157,6 +159,7 @@ QBDI_NOINLINE int fuzz_func() {
 ```
 
 Just compile it
+
 ```
 ./build.sh x86_64
 ```
@@ -173,6 +176,7 @@ adb push ../../android-standalone-toolchain-x86_64/sysroot/usr/lib/x86_64-linux-
 ```
 
 In android adb shell, run the loader to test if it runs
+
 ```
 cd /data/local/tmp
 export LD_LIBRARY_PATH=/data/local/tmp
@@ -199,5 +203,4 @@ Now run `afl-fuzz` to fuzz the demo library
 ./afl-fuzz -i in -o out -- ./loader /data/local/tmp/libdemo.so @@
 ```
 
-![screen1](assets/screen1.png)
-
+![screen1](assets/screen1.png)
\ No newline at end of file
diff --git a/utils/qemu_persistent_hook/README.md b/utils/qemu_persistent_hook/README.md
index 3f908c22..3bbaef6b 100644
--- a/utils/qemu_persistent_hook/README.md
+++ b/utils/qemu_persistent_hook/README.md
@@ -16,4 +16,4 @@ mkdir in
 echo 0000 > in/in
 
 ../../afl-fuzz -Q -i in -o out -- ./test
-```
+```
\ No newline at end of file
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-17 05:28:19 +0000