From bb81fb784e7c855fe230136a4878f68c33d0f98f Mon Sep 17 00:00:00 2001 From: guyf2010 Date: Sun, 13 Nov 2022 14:37:33 +0000 Subject: Add option for random cmplog colorization --- src/afl-fuzz-redqueen.c | 13 ++++++++++++- src/afl-fuzz.c | 9 +++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 337f124d..aa0b3210 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -167,6 +167,13 @@ static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u64 *cksum) { } +/* replace everything with different values */ +static void random_replace(afl_state_t *afl, u8 *buf, u32 len){ + for(u32 i=0; i < len; i++){ + buf[i] = rand_below(afl, 256); + } +} + /* replace everything with different values but stay in the same type */ static void type_replace(afl_state_t *afl, u8 *buf, u32 len) { @@ -293,7 +300,11 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, memcpy(backup, buf, len); memcpy(changed, buf, len); - type_replace(afl, changed, len); + if (afl->cmplog_random_colorization) { + random_replace(afl, changed, len); + } else { + type_replace(afl, changed, len); + } while ((rng = pop_biggest_range(&ranges)) != NULL && afl->stage_cur < afl->stage_max) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index acb0b2ec..a81cab7d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -171,10 +171,11 @@ static void usage(u8 *argv0, int more_help) { " if using QEMU/FRIDA or the fuzzing target is " "compiled\n" " for CmpLog then just use -c 0.\n" - " -l cmplog_opts - CmpLog configuration values (e.g. \"2AT\"):\n" + " -l cmplog_opts - CmpLog configuration values (e.g. \"2ATR\"):\n" " 1=small files, 2=larger files (default), 3=all " "files,\n" - " A=arithmetic solving, T=transformational solving.\n\n" + " A=arithmetic solving, T=transformational solving,\n" + " R=random colorization bytes.\n\n" "Fuzzing behavior settings:\n" " -Z - sequential queue selection instead of weighted " "random\n" @@ -1113,6 +1114,10 @@ int main(int argc, char **argv_orig, char **envp) { case 'T': afl->cmplog_enable_transform = 1; break; + case 'r': + case 'R': + afl->cmplog_random_colorization = 1; + break; default: FATAL("Unknown option value '%c' in -l %s", *c, optarg); -- cgit 1.4.1 From 189255d3f4eed4df91139caa87bf92d9ccd8b0a9 Mon Sep 17 00:00:00 2001 From: guyf2010 Date: Sun, 13 Nov 2022 14:57:53 +0000 Subject: cmplog random replacement code formatting --- src/afl-fuzz-redqueen.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index aa0b3210..3feeaca0 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -168,10 +168,14 @@ static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u64 *cksum) { } /* replace everything with different values */ -static void random_replace(afl_state_t *afl, u8 *buf, u32 len){ - for(u32 i=0; i < len; i++){ +static void random_replace(afl_state_t *afl, u8 *buf, u32 len) { + + for (u32 i = 0; i < len; i++) { + buf[i] = rand_below(afl, 256); + } + } /* replace everything with different values but stay in the same type */ @@ -301,9 +305,13 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, memcpy(backup, buf, len); memcpy(changed, buf, len); if (afl->cmplog_random_colorization) { + random_replace(afl, changed, len); + } else { + type_replace(afl, changed, len); + } while ((rng = pop_biggest_range(&ranges)) != NULL && -- cgit 1.4.1 From 7f7cbe962324f7af8d55423ee09635996a8c9332 Mon Sep 17 00:00:00 2001 From: guyf2010 Date: Mon, 14 Nov 2022 12:19:44 +0000 Subject: Ensure random colorization always changes byte --- src/afl-fuzz-redqueen.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 3feeaca0..0dae26a3 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -172,7 +172,15 @@ static void random_replace(afl_state_t *afl, u8 *buf, u32 len) { for (u32 i = 0; i < len; i++) { - buf[i] = rand_below(afl, 256); + u8 c; + + do { + + c = rand_below(afl, 256); + + } while (c == buf[i]); + + buf[i] = c; } -- cgit 1.4.1