From 58a0f17edbe79fd8e2059e225b3cec2d04ebd953 Mon Sep 17 00:00:00 2001 From: toka Date: Thu, 10 Jul 2025 14:16:22 +0200 Subject: [PATCH 01/23] my change --- src/afl-fuzz-one.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index fd5ed87ca3..e0bb74d188 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1025,6 +1025,8 @@ u8 fuzz_one_original(afl_state_t *afl) { #ifdef INTROSPECTION snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH8--%u-%u", afl->queue_cur->fname, i, j); + fprintf(afl->introspection_file, "LOGGING %s = %s\n", afl->mutation, + afl->queue_top->fname); #endif if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } From ac0c0cfd59584092de1cd02563c7fbc7ea428274 Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 12:07:00 +0200 Subject: [PATCH 02/23] hnb record --- src/afl-fuzz-bitmap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index fd75a82293..f14441750e 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -225,6 +225,8 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { #endif /* ^WORD_SIZE_64 */ u8 ret = 0; + u64 cksum = hash64(virgin_map, afl->fsrv.map_size, HASH_CONST); + fprintf(afl->introspection_file, "HNB HASH %d\n", cksum); while (i--) { if (unlikely(*current)) discover_word(&ret, current, virgin); From 35a2e4c1ffaa4ffe3f81c2a34c1dfa2a593c1ee7 Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 12:11:49 +0200 Subject: [PATCH 03/23] a --- src/afl-fuzz-bitmap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index f14441750e..acc4a89110 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -226,7 +226,6 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { u8 ret = 0; u64 cksum = hash64(virgin_map, afl->fsrv.map_size, HASH_CONST); - fprintf(afl->introspection_file, "HNB HASH %d\n", cksum); while (i--) { if (unlikely(*current)) discover_word(&ret, current, virgin); @@ -237,8 +236,11 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { } if (unlikely(ret) && likely(virgin_map == afl->virgin_bits)) + { afl->bitmap_changed = 1; - + fprintf(afl->introspection_file, "HNB HASH %d\n", cksum); + } + return ret; } From 43b14ff5d14126e5ba1c135de260bc4f0aad9a25 Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 12:19:49 +0200 Subject: [PATCH 04/23] stdout --- src/afl-fuzz-bitmap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index acc4a89110..af3d34c3d7 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -238,9 +238,9 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { if (unlikely(ret) && likely(virgin_map == afl->virgin_bits)) { afl->bitmap_changed = 1; - fprintf(afl->introspection_file, "HNB HASH %d\n", cksum); + fprintf(stdout, "HNB HASH %d\n", cksum); } - + return ret; } From 507f07cde66a0c47610c327d658694b76d33a506 Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 12:32:10 +0200 Subject: [PATCH 05/23] conditional --- src/afl-fuzz-bitmap.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index af3d34c3d7..890d8ca8c6 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -238,7 +238,9 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { if (unlikely(ret) && likely(virgin_map == afl->virgin_bits)) { afl->bitmap_changed = 1; - fprintf(stdout, "HNB HASH %d\n", cksum); + if(afl->introspection_file) { + fprintf(stdout, "HNB HASH %d\n", cksum); + } } return ret; From 0060be386b4a8bde47289af4a0873c0e6f4e0e24 Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 12:40:07 +0200 Subject: [PATCH 06/23] ... --- src/afl-fuzz-bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 890d8ca8c6..640237e44d 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -239,7 +239,7 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { { afl->bitmap_changed = 1; if(afl->introspection_file) { - fprintf(stdout, "HNB HASH %d\n", cksum); + fprintf(afl->introspection_file, "HNB HASH %d\n", cksum); } } From b9090e28538ff8a269279039e9939c933467588c Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 14:00:42 +0200 Subject: [PATCH 07/23] debug --- src/afl-fuzz-skipdet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index 8a927292bb..9cb1f60c3d 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -161,8 +161,8 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - // printf("Now trying range %d with %d, %s.\n", pos, cur_block_size, - // (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); + printf("Now trying range %d with %d, %s.\n", pos, cur_block_size, + (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); /* continue until we fail or exceed length */ if (cksum == _prev_cksum) { From d890e6094fc5b8e417a7dccbb41eb320d88bf25c Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 14:14:15 +0200 Subject: [PATCH 08/23] more debug --- src/afl-fuzz-skipdet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index 9cb1f60c3d..c7c1351b84 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -161,7 +161,7 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - printf("Now trying range %d with %d, %s.\n", pos, cur_block_size, + printf("Now trying range %d with %d %d==%d, %s.\n", pos, cur_block_size, cksum, prev_cksum (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); /* continue until we fail or exceed length */ From 4e005ebb180fb527f9b71d9a4d9357cd0ec8fcd3 Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 14:15:51 +0200 Subject: [PATCH 09/23] more debug --- src/afl-fuzz-skipdet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index c7c1351b84..58dcffa902 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -161,7 +161,7 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - printf("Now trying range %d with %d %d==%d, %s.\n", pos, cur_block_size, cksum, prev_cksum + printf("Now trying range %d with %d %d==%d, %s.\n", pos, cur_block_size, cksum, prev_cksum, (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); /* continue until we fail or exceed length */ From 4e6ea29696acc945b6e176121b137d1a8aea1e19 Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 14:26:45 +0200 Subject: [PATCH 10/23] moremore debug --- src/afl-fuzz-skipdet.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index 58dcffa902..d6a9469088 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -154,12 +154,19 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, flip_range(out_buf, pos, flip_block_size); - if (common_fuzz_stuff(afl, out_buf, len)) return 0; + for(int y = 0; y < 10; y++) { + printf("Repetition %d\n", y); + if (common_fuzz_stuff(afl, out_buf, len)) return 0; + u64 cksum = + hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + printf("cksum %d\n", cksum); + } + + flip_range(out_buf, pos, flip_block_size); - u64 cksum = - hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + printf("Now trying range %d with %d %d==%d, %s.\n", pos, cur_block_size, cksum, prev_cksum, (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); From 96308eb524c20f510991afe30fba57c2fbe0f52f Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 14:28:14 +0200 Subject: [PATCH 11/23] fix --- src/afl-fuzz-skipdet.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index d6a9469088..efeae278e9 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -155,19 +155,15 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, flip_range(out_buf, pos, flip_block_size); for(int y = 0; y < 10; y++) { - printf("Repetition %d\n", y); + printf("Repetition %llu\n", y); if (common_fuzz_stuff(afl, out_buf, len)) return 0; u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); printf("cksum %d\n", cksum); } - - flip_range(out_buf, pos, flip_block_size); - - printf("Now trying range %d with %d %d==%d, %s.\n", pos, cur_block_size, cksum, prev_cksum, (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); From a90f643a72c73af276c976f16f434c1166589bf1 Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 14:29:31 +0200 Subject: [PATCH 12/23] fix --- src/afl-fuzz-skipdet.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index efeae278e9..e69b5172b6 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -154,10 +154,11 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, flip_range(out_buf, pos, flip_block_size); + u64 cksum; for(int y = 0; y < 10; y++) { printf("Repetition %llu\n", y); if (common_fuzz_stuff(afl, out_buf, len)) return 0; - u64 cksum = + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); printf("cksum %d\n", cksum); } From d33fd7e84667f9d393cc5506996f572ab242e71d Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 14:59:13 +0200 Subject: [PATCH 13/23] fuzzer --- src/afl-fuzz-skipdet.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index e69b5172b6..d685045aa5 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -1,6 +1,7 @@ #include "afl-fuzz.h" +#include void flip_range(u8 *input, u32 pos, u32 size) { @@ -157,7 +158,13 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, u64 cksum; for(int y = 0; y < 10; y++) { printf("Repetition %llu\n", y); - if (common_fuzz_stuff(afl, out_buf, len)) return 0; + char filename[64]; + snprintf(filename, sizeof(filename), "file_%d_%d.bin", pos, y); + + if (common_fuzz_stuff(afl, out_buf, len)) return 0;\ + FILE* fp = fopen(filename, "wb"); // Open file in binary write mode + fwrite(afl->fsrv.trace_bits, 1, afl->fsrv.map_size, fp); + fclose(fp); cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); printf("cksum %d\n", cksum); From 48742ca70e9c2f19d7f7ad5e853fd937cd96a8e3 Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 15:11:58 +0200 Subject: [PATCH 14/23] last bit --- src/afl-fuzz-skipdet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index d685045aa5..f0941cee16 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -159,7 +159,7 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, for(int y = 0; y < 10; y++) { printf("Repetition %llu\n", y); char filename[64]; - snprintf(filename, sizeof(filename), "file_%d_%d.bin", pos, y); + snprintf(filename, sizeof(filename), "file_%d_%d_%d.bin", pos, cur_block_size, y); if (common_fuzz_stuff(afl, out_buf, len)) return 0;\ FILE* fp = fopen(filename, "wb"); // Open file in binary write mode From bc7e83dfa6d4be1fb3b4766a430c2c307165aa2e Mon Sep 17 00:00:00 2001 From: toka Date: Fri, 11 Jul 2025 15:30:22 +0200 Subject: [PATCH 15/23] mm --- src/afl-fuzz-skipdet.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index f0941cee16..182c21096d 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -159,12 +159,17 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, for(int y = 0; y < 10; y++) { printf("Repetition %llu\n", y); char filename[64]; + char inputname[64]; snprintf(filename, sizeof(filename), "file_%d_%d_%d.bin", pos, cur_block_size, y); + snprintf(inputname, sizeof(inputname), "input_%d_%d_%d.bin", pos, cur_block_size, y); if (common_fuzz_stuff(afl, out_buf, len)) return 0;\ - FILE* fp = fopen(filename, "wb"); // Open file in binary write mode - fwrite(afl->fsrv.trace_bits, 1, afl->fsrv.map_size, fp); - fclose(fp); + FILE* fp1 = fopen(filename, "wb"); // Open file in binary write mode + FILE* fp2 = fopen(inputname, "wb"); // Open file in binary write mode + fwrite(afl->fsrv.trace_bits, 1, afl->fsrv.map_size, fp1); + fwrite(out_buf, 1, len, fp2); + fclose(fp1); + fclose(fp2); cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); printf("cksum %d\n", cksum); From 0d4eb61a3cf038c62c208d550a3c3810881dc40a Mon Sep 17 00:00:00 2001 From: toka Date: Sun, 13 Jul 2025 23:55:23 +0200 Subject: [PATCH 16/23] mre --- src/afl-fuzz-one.c | 4 ++-- src/afl-fuzz-skipdet.c | 17 ++--------------- 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index e0bb74d188..315d324d7f 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -631,7 +631,7 @@ u8 fuzz_one_original(afl_state_t *afl) { /* Now flip bits. */ for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { - + printf("FLIP1 %d\n", afl->stage_cur); afl->stage_cur_byte = afl->stage_cur >> 3; if (!skip_eff_map[afl->stage_cur_byte]) continue; @@ -735,7 +735,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } new_hit_cnt = afl->queued_items + afl->saved_crashes; - + printf("New Hit! %d\n", new_hit_cnt); afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; #ifdef INTROSPECTION diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index 182c21096d..eccb8db882 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -157,28 +157,15 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, u64 cksum; for(int y = 0; y < 10; y++) { - printf("Repetition %llu\n", y); - char filename[64]; - char inputname[64]; - snprintf(filename, sizeof(filename), "file_%d_%d_%d.bin", pos, cur_block_size, y); - snprintf(inputname, sizeof(inputname), "input_%d_%d_%d.bin", pos, cur_block_size, y); - if (common_fuzz_stuff(afl, out_buf, len)) return 0;\ - FILE* fp1 = fopen(filename, "wb"); // Open file in binary write mode - FILE* fp2 = fopen(inputname, "wb"); // Open file in binary write mode - fwrite(afl->fsrv.trace_bits, 1, afl->fsrv.map_size, fp1); - fwrite(out_buf, 1, len, fp2); - fclose(fp1); - fclose(fp2); cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - printf("cksum %d\n", cksum); } flip_range(out_buf, pos, flip_block_size); - printf("Now trying range %d with %d %d==%d, %s.\n", pos, cur_block_size, cksum, prev_cksum, - (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); + // printf("Now trying range %d with %d %d==%d, %s.\n", pos, cur_block_size, cksum, prev_cksum, + // (cksum == prev_cksum) ? (u8*)"Yes" : (u8*) "Not"); /* continue until we fail or exceed length */ if (cksum == _prev_cksum) { From 8aefe1a7d5c89974e5b8b524acf944b4b0bc3cfd Mon Sep 17 00:00:00 2001 From: toka Date: Mon, 14 Jul 2025 00:07:06 +0200 Subject: [PATCH 17/23] lol --- src/afl-fuzz-one.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 315d324d7f..e0e8c4aa6a 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -616,7 +616,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_short = "flip1"; afl->stage_max = len << 3; afl->stage_name = "bitflip 1/1"; - + printf("FLIP1\n"); afl->stage_val_type = STAGE_VAL_NONE; orig_hit_cnt = afl->queued_items + afl->saved_crashes; @@ -631,7 +631,7 @@ u8 fuzz_one_original(afl_state_t *afl) { /* Now flip bits. */ for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { - printf("FLIP1 %d\n", afl->stage_cur); + afl->stage_cur_byte = afl->stage_cur >> 3; if (!skip_eff_map[afl->stage_cur_byte]) continue; @@ -735,7 +735,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } new_hit_cnt = afl->queued_items + afl->saved_crashes; - printf("New Hit! %d\n", new_hit_cnt); + afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; #ifdef INTROSPECTION @@ -747,6 +747,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_name = "bitflip 2/1"; afl->stage_short = "flip2"; afl->stage_max = (len << 3) - 1; + printf("FLIP2\n"); orig_hit_cnt = new_hit_cnt; @@ -786,6 +787,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_name = "bitflip 4/1"; afl->stage_short = "flip4"; afl->stage_max = (len << 3) - 3; + printf("FLIP4\n"); orig_hit_cnt = new_hit_cnt; @@ -829,6 +831,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_name = "bitflip 8/8"; afl->stage_short = "flip8"; afl->stage_max = len; + printf("FLIP8\n"); orig_hit_cnt = new_hit_cnt; prev_cksum = _prev_cksum; @@ -880,6 +883,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_short = "flip16"; afl->stage_cur = 0; afl->stage_max = len - 1; + printf("FLIP16\n"); orig_hit_cnt = new_hit_cnt; @@ -923,6 +927,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_short = "flip32"; afl->stage_cur = 0; afl->stage_max = len - 3; + printf("FLIP32\n"); orig_hit_cnt = new_hit_cnt; From 6fa5cce29dd5bce4c85acb4d7a00b0e5b986c2d2 Mon Sep 17 00:00:00 2001 From: toka Date: Mon, 14 Jul 2025 00:21:05 +0200 Subject: [PATCH 18/23] more test --- src/afl-fuzz-one.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index e0e8c4aa6a..71232711b0 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1573,7 +1573,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_max = afl->extras_cnt * len; afl->stage_val_type = STAGE_VAL_NONE; - + printf("EXT O"); orig_hit_cnt = new_hit_cnt; for (i = 0; i < (u32)len; ++i) { From df620c1f41a3b32d25182bb4f3b97ed5892c035d Mon Sep 17 00:00:00 2001 From: toka Date: Mon, 14 Jul 2025 00:31:11 +0200 Subject: [PATCH 19/23] more debug --- src/afl-fuzz-skipdet.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index eccb8db882..af8cef0b85 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -233,7 +233,7 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, orig_hit_cnt = afl->queued_items + afl->saved_crashes; u32 before_skip_inf = afl->queued_items; - + printf /* clean all the eff bytes, since previous eff bytes are already fuzzed */ u8 *skip_eff_map = afl->queue_cur->skipdet_e->skip_eff_map, *done_inf_map = afl->queue_cur->skipdet_e->done_inf_map; @@ -311,6 +311,7 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, } out_buf[afl->stage_cur_byte] = replace; + println!("Replacing %d with %d\n", afl->stage_cur_byte, replace); before_skip_inf = afl->queued_items; From 0bd2512dc4a229424aecb19f7e3dcb73937920b1 Mon Sep 17 00:00:00 2001 From: toka Date: Mon, 14 Jul 2025 00:32:33 +0200 Subject: [PATCH 20/23] more debug --- src/afl-fuzz-skipdet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index af8cef0b85..c44173b589 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -311,7 +311,7 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, } out_buf[afl->stage_cur_byte] = replace; - println!("Replacing %d with %d\n", afl->stage_cur_byte, replace); + printf("Replacing %d with %d\n", afl->stage_cur_byte, replace); before_skip_inf = afl->queued_items; From 5e4cd4bf5e0065ffed75093acd597659f3f13c00 Mon Sep 17 00:00:00 2001 From: toka Date: Mon, 14 Jul 2025 00:35:46 +0200 Subject: [PATCH 21/23] more debug --- src/afl-fuzz-skipdet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index c44173b589..dc56f1a089 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -233,7 +233,7 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, orig_hit_cnt = afl->queued_items + afl->saved_crashes; u32 before_skip_inf = afl->queued_items; - printf + printf("QUICK at %d\n", afl->fsrv.total_execs); /* clean all the eff bytes, since previous eff bytes are already fuzzed */ u8 *skip_eff_map = afl->queue_cur->skipdet_e->skip_eff_map, *done_inf_map = afl->queue_cur->skipdet_e->done_inf_map; From a3b5238daee522f4441517ee5e77a51728fcdc4e Mon Sep 17 00:00:00 2001 From: toka Date: Mon, 14 Jul 2025 00:50:13 +0200 Subject: [PATCH 22/23] more --- src/afl-fuzz-skipdet.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index dc56f1a089..4583f30f7f 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -315,7 +315,17 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, before_skip_inf = afl->queued_items; - if (common_fuzz_stuff(afl, out_buf, len)) { return 0; } + int cksum = 0; + for(int y = 0; y < 20; y++) { + if (common_fuzz_stuff(afl, out_buf, len)) { return 0; } + int new_cksum = + hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + if (cksum != 0 && cksum != new_cksum) { + printf("============================================================================\n"); + } + printf("new_cksum: %d\n", new_cksum); + cksum = new_cksum; + } out_buf[afl->stage_cur_byte] = orig; From 06078579cf884c23fbc8fefb3430e6823c02f555 Mon Sep 17 00:00:00 2001 From: toka Date: Mon, 14 Jul 2025 00:58:50 +0200 Subject: [PATCH 23/23] really; last debug --- src/afl-fuzz-skipdet.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/afl-fuzz-skipdet.c b/src/afl-fuzz-skipdet.c index 4583f30f7f..8a07f9c87d 100644 --- a/src/afl-fuzz-skipdet.c +++ b/src/afl-fuzz-skipdet.c @@ -321,7 +321,14 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf, int new_cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (cksum != 0 && cksum != new_cksum) { + char inputname[64]; + snprintf(inputname, sizeof(inputname), "input_%d_%d.bin", afl->stage_cur_byte, y); + FILE* fp1 = fopen(inputname, "wb"); // Open file in binary write mode + fwrite(afl->fsrv.trace_bits, 1, afl->fsrv.map_size, fp1); + fclose(fp1); printf("============================================================================\n"); + printf("new_cksum: %d\n", new_cksum); + exit(1); } printf("new_cksum: %d\n", new_cksum); cksum = new_cksum;