diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index fd75a82293..640237e44d 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -225,6 +225,7 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { #endif /* ^WORD_SIZE_64 */ u8 ret = 0; + u64 cksum = hash64(virgin_map, afl->fsrv.map_size, HASH_CONST); while (i--) { if (unlikely(*current)) discover_word(&ret, current, virgin); @@ -235,7 +236,12 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { } if (unlikely(ret) && likely(virgin_map == afl->virgin_bits)) + { afl->bitmap_changed = 1; + if(afl->introspection_file) { + fprintf(afl->introspection_file, "HNB HASH %d\n", cksum); + } + } return ret; diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index fd5ed87ca3..71232711b0 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -616,7 +616,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_short = "flip1"; afl->stage_max = len << 3; afl->stage_name = "bitflip 1/1"; - + printf("FLIP1\n"); afl->stage_val_type = STAGE_VAL_NONE; orig_hit_cnt = afl->queued_items + afl->saved_crashes; @@ -747,6 +747,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_name = "bitflip 2/1"; afl->stage_short = "flip2"; afl->stage_max = (len << 3) - 1; + printf("FLIP2\n"); orig_hit_cnt = new_hit_cnt; @@ -786,6 +787,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_name = "bitflip 4/1"; afl->stage_short = "flip4"; afl->stage_max = (len << 3) - 3; + printf("FLIP4\n"); orig_hit_cnt = new_hit_cnt; @@ -829,6 +831,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_name = "bitflip 8/8"; afl->stage_short = "flip8"; afl->stage_max = len; + printf("FLIP8\n"); orig_hit_cnt = new_hit_cnt; prev_cksum = _prev_cksum; @@ -880,6 +883,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_short = "flip16"; afl->stage_cur = 0; afl->stage_max = len - 1; + printf("FLIP16\n"); orig_hit_cnt = new_hit_cnt; @@ -923,6 +927,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_short = "flip32"; afl->stage_cur = 0; afl->stage_max = len - 3; + printf("FLIP32\n"); orig_hit_cnt = new_hit_cnt; @@ -1025,6 +1030,8 @@ u8 fuzz_one_original(afl_state_t *afl) { #ifdef INTROSPECTION snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH8--%u-%u", afl->queue_cur->fname, i, j); + fprintf(afl->introspection_file, "LOGGING %s = %s\n", afl->mutation, + afl->queue_top->fname); #endif if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } @@ -1566,7 +1573,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_max = afl->extras_cnt * len; afl->stage_val_type = STAGE_VAL_NONE; - + printf("EXT O"); orig_hit_cnt = new_hit_cnt; for (i = 0; i < (u32)len; ++i) { diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index 8a927292bb..8a07f9c87d 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -1,6 +1,7 @@ #include "afl-fuzz.h" +#include void flip_range(u8 *input, u32 pos, u32 size) { @@ -154,15 +155,17 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, flip_range(out_buf, pos, flip_block_size); - if (common_fuzz_stuff(afl, out_buf, len)) return 0; + u64 cksum; + for(int y = 0; y < 10; y++) { + if (common_fuzz_stuff(afl, out_buf, len)) return 0;\ + cksum = + hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + } flip_range(out_buf, pos, flip_block_size); - u64 cksum = - hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - - // printf("Now trying range %d with %d, %s.\n", pos, cur_block_size, - // (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); + // printf("Now trying range %d with %d %d==%d, %s.\n", pos, cur_block_size, cksum, prev_cksum, + // (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); /* continue until we fail or exceed length */ if (cksum == _prev_cksum) { @@ -230,7 +233,7 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, orig_hit_cnt = afl->queued_items + afl->saved_crashes; u32 before_skip_inf = afl->queued_items; - + printf("QUICK at %d\n", afl->fsrv.total_execs); /* clean all the eff bytes, since previous eff bytes are already fuzzed */ u8 *skip_eff_map = afl->queue_cur->skipdet_e->skip_eff_map, *done_inf_map = afl->queue_cur->skipdet_e->done_inf_map; @@ -308,10 +311,28 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, } out_buf[afl->stage_cur_byte] = replace; + printf("Replacing %d with %d\n", afl->stage_cur_byte, replace); before_skip_inf = afl->queued_items; - if (common_fuzz_stuff(afl, out_buf, len)) { return 0; } + int cksum = 0; + for(int y = 0; y < 20; y++) { + if (common_fuzz_stuff(afl, out_buf, len)) { return 0; } + int new_cksum = + hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + if (cksum != 0 && cksum != new_cksum) { + char inputname[64]; + snprintf(inputname, sizeof(inputname), "input_%d_%d.bin", afl->stage_cur_byte, y); + FILE* fp1 = fopen(inputname, "wb"); // Open file in binary write mode + fwrite(afl->fsrv.trace_bits, 1, afl->fsrv.map_size, fp1); + fclose(fp1); + printf("============================================================================\n"); + printf("new_cksum: %d\n", new_cksum); + exit(1); + } + printf("new_cksum: %d\n", new_cksum); + cksum = new_cksum; + } out_buf[afl->stage_cur_byte] = orig;