From d16d8dbb8511ad227fdeb33eb5a10914d9ad7bd9 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 12 Jul 2021 15:56:25 +0200 Subject: update faq --- docs/FAQ.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'docs') diff --git a/docs/FAQ.md b/docs/FAQ.md index ab0abe6c..0f447044 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -188,13 +188,7 @@ Four steps are required to do this and it also requires quite some knowledge of coding and/or disassembly and is effectively possible only with afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation. - 1. First step: Identify which edge ID numbers are unstable - - run the target with `export AFL_DEBUG=1` for a few minutes then terminate. - The out/fuzzer_stats file will then show the edge IDs that were identified - as unstable. - - 2. Second step: Find the responsible function(s). + 1. First step: Instrument to be able to find the responsible function(s). a) For LTO instrumented binaries this can be documented during compile time, just set `export AFL_LLVM_DOCUMENT_IDS=/path/to/a/file`. @@ -217,6 +211,14 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation. recompile with the two mentioned above. This is just for identifying the functions that have unstable edges. + 2. Second step: Identify which edge ID numbers are unstable + + run the target with `export AFL_DEBUG=1` for a few minutes then terminate. + The out/fuzzer_stats file will then show the edge IDs that were identified + as unstable in the `var_bytes` entry. You can match these numbers + directly to the data you created in the first step. + Now you know which functions are responsible for the instability + 3. Third step: create a text file with the filenames/functions Identify which source code files contain the functions that you need to -- cgit 1.4.1