modernize docs and readme for qemu and unicorn

2025-06-13 18:48:08 +00:00 · 2019-08-30 11:38:33 +02:00
parent f677427f68
commit 7b36afd5f1
19 changed files with 227 additions and 245 deletions
--- a/docs/unicorn_mode.txt
+++ b/docs/unicorn_mode.txt
@ -1,109 +0,0 @@
 =========================================================
 Unicorn-based binary-only instrumentation for afl-fuzz
 =========================================================
 1) Introduction
 ---------------
 The code in ./unicorn_mode allows you to build a standalone feature that
 leverages the Unicorn Engine and allows callers to obtain instrumentation 
 output for black-box, closed-source binary code snippets. This mechanism 
 can be then used by afl-fuzz to stress-test targets that couldn't be built 
 with afl-gcc or used in QEMU mode, or with other extensions such as 
 TriforceAFL.
 There is a significant performance penalty compared to native AFL,
 but at least we're able to use AFL on these binaries, right?
 The idea and much of the implementation comes from Nathan Voss <njvoss299@gmail.com>.
 2) How to use
 -------------
 Requirements: you need an installed python2 environment.
 *** Building AFL's Unicorn Mode ***
 First, make afl as usual.
 Once that completes successfully you need to build and add in the Unicorn Mode 
 features:
  $ cd unicorn_mode
  $ ./build_unicorn_support.sh
 NOTE: This script downloads a recent Unicorn Engine commit that has been tested 
 and is stable-ish from the Unicorn github page. If you are offline, you'll need 
 to hack up this script a little bit and supply your own copy of Unicorn's latest 
 stable release. It's not very hard, just check out the beginning of the 
 build_unicorn_support.sh script and adjust as necessary.
 Building Unicorn will take a little bit (~5-10 minutes). Once it completes 
 it automatically compiles a sample application and verify that it works.
 *** Fuzzing with Unicorn Mode ***
 To really use unicorn-mode effectively you need to prepare the following:
 	* Relevant binary code to be fuzzed
 	* Knowledge of the memory map and good starting state
 	* Folder containing sample inputs to start fuzzing with
 		- Same ideas as any other AFL inputs
 		- Quality/speed of results will depend greatly on quality of starting 
 		  samples
 		- See AFL's guidance on how to create a sample corpus
 	* Unicorn-based test harness which:
 		- Adds memory map regions
 		- Loads binary code into memory		
 		- Emulates at least one instruction*
 			- Yeah, this is lame. See 'Gotchas' section below for more info		
 		- Loads and verifies data to fuzz from a command-line specified file
 			- AFL will provide mutated inputs by changing the file passed to 
 			  the test harness
 			- Presumably the data to be fuzzed is at a fixed buffer address
 			- If input constraints (size, invalid bytes, etc.) are known they 
 			  should be checked after the file is loaded. If a constraint 
 			  fails, just exit the test harness. AFL will treat the input as 
 			  'uninteresting' and move on.
 		- Sets up registers and memory state for beginning of test
 		- Emulates the interested code from beginning to end
 		- If a crash is detected, the test harness must 'crash' by 
 		  throwing a signal (SIGSEGV, SIGKILL, SIGABORT, etc.)
 Once you have all those things ready to go you just need to run afl-fuzz in
 'unicorn-mode' by passing in the '-U' flag:
 	$ afl-fuzz -U -m none -i /path/to/inputs -o /path/to/results -- ./test_harness @@
 The normal afl-fuzz command line format applies to everything here. Refer to
 AFL's main documentation for more info about how to use afl-fuzz effectively.
 For a much clearer vision of what all of this looks like, please refer to the
 sample provided in the 'unicorn_mode/samples' directory. There is also a blog
 post that goes over the basics at:
 https://medium.com/@njvoss299/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf
 The 'helper_scripts' directory also contains several helper scripts that allow you 
 to dump context from a running process, load it, and hook heap allocations. For details
 on how to use this check out the follow-up blog post to the one linked above.
 A example use of AFL-Unicorn mode is discussed in the Paper Unicorefuzz:
 https://www.usenix.org/conference/woot19/presentation/maier
 3) Gotchas, feedback, bugs
 --------------------------
 To make sure that AFL's fork server starts up correctly the Unicorn test 
 harness script must emulate at least one instruction before loading the
 data that will be fuzzed from the input file. It doesn't matter what the
 instruction is, nor if it is valid. This is an artifact of how the fork-server
 is started and could likely be fixed with some clever re-arranging of the
 patches applied to Unicorn.
 Running the build script builds Unicorn and its python bindings and installs 
 them on your system. This installation will supersede any existing Unicorn
 installation with the patched afl-unicorn version.
 Refer to the unicorn_mode/samples/arm_example/arm_tester.c for an example
 of how to do this properly! If you don't get this right, AFL will not 
 load any mutated inputs and your fuzzing will be useless!
--- a/qemu_mode/README.qemu
+++ b/qemu_mode/README.qemu
@ -1,11 +1,8 @@
-=========================================================
+# High-performance binary-only instrumentation for afl-fuzz
 High-performance binary-only instrumentation for afl-fuzz
 =========================================================
  (See ../docs/README for the general instruction manual.)
-1) Introduction
+## 1) Introduction
 ---------------
 The code in this directory allows you to build a standalone feature that
 leverages the QEMU "user emulation" mode and allows callers to obtain
@ -20,8 +17,7 @@ The idea and much of the initial implementation comes from Andrew Griffiths.
 The actual implementation on QEMU 3 (shipped with afl++) is from
 Andrea Fioraldi. Special thanks to abiondo that re-enabled TCG chaining.
-2) How to use
+## 2) How to use
 -------------
 The feature is implemented with a patch to QEMU 3.1.0. The simplest way
 to build it is to run ./build_qemu_support.sh. The script will download,
@ -48,16 +44,15 @@ Note: if you want the QEMU helper to be installed on your system for all
 users, you need to build it before issuing 'make install' in the parent
 directory.
-3) Options
+## 3) Options
 ----------
 There is ./libcompcov/ which implements laf-intel (splitting memcmp,
 strncmp, etc. to make these conditions easier solvable by afl-fuzz).
 Highly recommended.
-The option that enables QEMU CompareCoverage is QEMU_COMPCOV_LEVEL.
+The option that enables QEMU CompareCoverage is AFL_COMPCOV_LEVEL.
-QEMU_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate
+AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate
-values / read-only memory. QEMU_COMPCOV_LEVEL=2 instruments all
+values / read-only memory. AFL_COMPCOV_LEVEL=2 instruments all
 comparison instructions and memory comparison functions when libcompcov
 is preloaded. Comparison instructions are currently instrumented only
 on the x86 and x86_64 targets.
@ -68,8 +63,7 @@ opened (e.g. way after command line parsing and config file loading, etc)
 which can be a huge speed improvement. Note that the specified address
 must be an address of a basic block.
-4) Notes on linking
+## 4) Notes on linking
 -------------------
 The feature is supported only on Linux. Supporting BSD may amount to porting
 the changes made to linux-user/elfload.c and applying them to
@ -90,8 +84,7 @@ practice, this means two things:
 Setting AFL_INST_LIBS=1 can be used to circumvent the .text detection logic
 and instrument every basic block encountered.
-5) Benchmarking
+## 5) Benchmarking
 ---------------
 If you want to compare the performance of the QEMU instrumentation with that of
 afl-gcc compiled code against the same target, you need to build the
@ -106,8 +99,7 @@ Comparative measurements of execution speed or instrumentation coverage will be
 fairly meaningless if the optimization levels or instrumentation scopes don't
 match.
-6) Gotchas, feedback, bugs
+## 6) Gotchas, feedback, bugs
 --------------------------
 If you need to fix up checksums or do other cleanup on mutated test cases, see
 experimental/post_library/ for a viable solution.
@ -128,8 +120,7 @@ with -march=core2, can help.
 Beyond that, this is an early-stage mechanism, so fields reports are welcome.
 You can send them to <afl-users@googlegroups.com>.
-7) Alternatives: static rewriting
+## 7) Alternatives: static rewriting
 ---------------------------------
 Statically rewriting binaries just once, instead of attempting to translate
 them at run time, can be a faster alternative. That said, static rewriting is
--- a/qemu_mode/build_qemu_support.sh
+++ b/qemu_mode/build_qemu_support.sh
@ -3,10 +3,17 @@
 # american fuzzy lop - QEMU build script
 # --------------------------------------
 #
-# Written by Andrew Griffiths <agriffiths@google.com> and
+# Originally written by Andrew Griffiths <agriffiths@google.com> and
-#            Michal Zalewski <lcamtuf@google.com>
+#                       Michal Zalewski <lcamtuf@google.com>
 #
 # TCG instrumentation and block chaining support by Andrea Biondo
 #                                    <andrea.biondo965@gmail.com>
 #
 # QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero
 # counters by Andrea Fioraldi <andreafioraldi@gmail.com>
 #
 # Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
 # Copyright 2019 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
--- a/qemu_mode/libcompcov/libcompcov.so.c
+++ b/qemu_mode/libcompcov/libcompcov.so.c
@ -5,7 +5,7 @@
   Written and maintained by Andrea Fioraldi <andreafioraldi@gmail.com>
-   Copyright 2019 Andrea Fioraldi. All rights reserved.
+   Copyright 2019 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
--- a/qemu_mode/patches/afl-qemu-common.h
+++ b/qemu_mode/patches/afl-qemu-common.h
@ -1,19 +1,18 @@
 /*
-   american fuzzy lop - high-performance binary-only instrumentation
+   american fuzzy lop++ - high-performance binary-only instrumentation
-   -----------------------------------------------------------------
+   -------------------------------------------------------------------
-   Written by Andrew Griffiths <agriffiths@google.com> and
+   Originally written by Andrew Griffiths <agriffiths@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski <lcamtuf@google.com>
   Idea & design very much by Andrew Griffiths.
   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>
-   QEMU 3.1.0 port, TCG thread-safety and CompareCoverage by Andrea Fioraldi
+   QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero
-                                      <andreafioraldi@gmail.com>
+   counters by Andrea Fioraldi <andreafioraldi@gmail.com>
   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
   Copyright 2019 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
--- a/qemu_mode/patches/afl-qemu-cpu-inl.h
+++ b/qemu_mode/patches/afl-qemu-cpu-inl.h
@ -1,19 +1,18 @@
 /*
-   american fuzzy lop - high-performance binary-only instrumentation
+   american fuzzy lop++ - high-performance binary-only instrumentation
-   -----------------------------------------------------------------
+   -------------------------------------------------------------------
-   Written by Andrew Griffiths <agriffiths@google.com> and
+   Originally written by Andrew Griffiths <agriffiths@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski <lcamtuf@google.com>
   Idea & design very much by Andrew Griffiths.
   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>
-   QEMU 3.1.0 port, TCG thread-safety and CompareCoverage by Andrea Fioraldi
+   QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero
-                                      <andreafioraldi@gmail.com>
+   counters by Andrea Fioraldi <andreafioraldi@gmail.com>
   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
   Copyright 2019 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
--- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h
+++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h
@ -1,19 +1,18 @@
 /*
-   american fuzzy lop - high-performance binary-only instrumentation
+   american fuzzy lop++ - high-performance binary-only instrumentation
-   -----------------------------------------------------------------
+   -------------------------------------------------------------------
-   Written by Andrew Griffiths <agriffiths@google.com> and
+   Originally written by Andrew Griffiths <agriffiths@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski <lcamtuf@google.com>
   Idea & design very much by Andrew Griffiths.
   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>
-   
+
-   QEMU 3.1.0 port, TCG thread-safety and CompareCoverage by Andrea Fioraldi
+   QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero
-                                      <andreafioraldi@gmail.com>
+   counters by Andrea Fioraldi <andreafioraldi@gmail.com>
   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
   Copyright 2019 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
--- a/qemu_mode/patches/afl-qemu-tcg-inl.h
+++ b/qemu_mode/patches/afl-qemu-tcg-inl.h
@ -1,19 +1,18 @@
 /*
-   american fuzzy lop - high-performance binary-only instrumentation
+   american fuzzy lop++ - high-performance binary-only instrumentation
-   -----------------------------------------------------------------
+   -------------------------------------------------------------------
-   Written by Andrew Griffiths <agriffiths@google.com> and
+   Originally written by Andrew Griffiths <agriffiths@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski <lcamtuf@google.com>
   Idea & design very much by Andrew Griffiths.
   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>
-   QEMU 3.1.0 port, TCG thread-safety and CompareCoverage by Andrea Fioraldi
+   QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero
-                                      <andreafioraldi@gmail.com>
+   counters by Andrea Fioraldi <andreafioraldi@gmail.com>
   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
   Copyright 2019 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
--- a/qemu_mode/patches/afl-qemu-translate-inl.h
+++ b/qemu_mode/patches/afl-qemu-translate-inl.h
@ -1,19 +1,18 @@
 /*
-   american fuzzy lop - high-performance binary-only instrumentation
+   american fuzzy lop++ - high-performance binary-only instrumentation
-   -----------------------------------------------------------------
+   -------------------------------------------------------------------
-   Written by Andrew Griffiths <agriffiths@google.com> and
+   Originally written by Andrew Griffiths <agriffiths@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski <lcamtuf@google.com>
   Idea & design very much by Andrew Griffiths.
   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>
-   QEMU 3.1.0 port, TCG thread-safety and CompareCoverage by Andrea Fioraldi
+   QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero
-                                      <andreafioraldi@gmail.com>
+   counters by Andrea Fioraldi <andreafioraldi@gmail.com>
   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
   Copyright 2019 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
--- a/unicorn_mode/README.md
+++ b/unicorn_mode/README.md
@ -1,23 +1,119 @@
-```
+# Unicorn-based binary-only instrumentation for afl-fuzz
        __ _                 _                      
  __ _ / _| |    _   _ _ __ (_) ___ ___  _ __ _ __  
 / _` | |_| |___| | | | '_ \| |/ __/ _ \| '__| '_ \ 
 | (_| |  _| |___| |_| | | | | | (_| (_) | |  | | | |
 \__,_|_| |_|    \__,_|_| |_|_|\___\___/|_|  |_| |_|
 ```
-afl-unicorn lets you fuzz any piece of binary that can be emulated by
+The idea and much of the original implementation comes from Nathan Voss <njvoss299@gmail.com>.
 [Unicorn Engine](http://www.unicorn-engine.org/). 
-Requirements: Python2
+The port to afl++ if by Dominik Maier <mail@dmnk.co>.
-For the full readme please see docs/unicorn_mode.txt
+The CompareCoverage and NeverZero counters features by Andrea Fioraldi <andreafioraldi@gmail.com>.
-For an in-depth description of what this is, how to install it, and how to use
+## 1) Introduction
 it check out this [blog post](https://medium.com/@njvoss299/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf).
-For general help with AFL, please refer to the documents in the ./docs/ directory.
+The code in ./unicorn_mode allows you to build a standalone feature that
 leverages the Unicorn Engine and allows callers to obtain instrumentation 
 output for black-box, closed-source binary code snippets. This mechanism 
 can be then used by afl-fuzz to stress-test targets that couldn't be built 
 with afl-gcc or used in QEMU mode, or with other extensions such as 
 TriforceAFL.
-Created by Nathan Voss, originally funded by
+There is a significant performance penalty compared to native AFL,
-[Battelle](https://www.battelle.org/cyber).
+but at least we're able to use AFL on these binaries, right?
 ## 2) How to use
 Requirements: you need an installed python2 environment.
 ### Building AFL's Unicorn Mode
 First, make afl++ as usual.
 Once that completes successfully you need to build and add in the Unicorn Mode 
 features:
  $ cd unicorn_mode
  $ ./build_unicorn_support.sh
 NOTE: This script downloads a Unicorn Engine commit that has been tested 
 and is stable-ish from the Unicorn github page. If you are offline, you'll need 
 to hack up this script a little bit and supply your own copy of Unicorn's latest 
 stable release. It's not very hard, just check out the beginning of the 
 build_unicorn_support.sh script and adjust as necessary.
 Building Unicorn will take a little bit (~5-10 minutes). Once it completes 
 it automatically compiles a sample application and verify that it works.
 ### Fuzzing with Unicorn Mode
 To really use unicorn-mode effectively you need to prepare the following:
 	* Relevant binary code to be fuzzed
 	* Knowledge of the memory map and good starting state
 	* Folder containing sample inputs to start fuzzing with
 		+ Same ideas as any other AFL inputs
 		+ Quality/speed of results will depend greatly on quality of starting 
 		  samples
 		+ See AFL's guidance on how to create a sample corpus
 	* Unicorn-based test harness which:
 		+ Adds memory map regions
 		+ Loads binary code into memory		
 		+ Emulates at least one instruction*
 			+ Yeah, this is lame. See 'Gotchas' section below for more info		
 		+ Loads and verifies data to fuzz from a command-line specified file
 			+ AFL will provide mutated inputs by changing the file passed to 
 			  the test harness
 			+ Presumably the data to be fuzzed is at a fixed buffer address
 			+ If input constraints (size, invalid bytes, etc.) are known they 
 			  should be checked after the file is loaded. If a constraint 
 			  fails, just exit the test harness. AFL will treat the input as 
 			  'uninteresting' and move on.
 		+ Sets up registers and memory state for beginning of test
 		+ Emulates the interested code from beginning to end
 		+ If a crash is detected, the test harness must 'crash' by 
 		  throwing a signal (SIGSEGV, SIGKILL, SIGABORT, etc.)
 Once you have all those things ready to go you just need to run afl-fuzz in
 'unicorn-mode' by passing in the '-U' flag:
 	$ afl-fuzz -U -m none -i /path/to/inputs -o /path/to/results -- ./test_harness @@
 The normal afl-fuzz command line format applies to everything here. Refer to
 AFL's main documentation for more info about how to use afl-fuzz effectively.
 For a much clearer vision of what all of this looks like, please refer to the
 sample provided in the 'unicorn_mode/samples' directory. There is also a blog
 post that goes over the basics at:
 https://medium.com/@njvoss299/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf
 The 'helper_scripts' directory also contains several helper scripts that allow you 
 to dump context from a running process, load it, and hook heap allocations. For details
 on how to use this check out the follow-up blog post to the one linked above.
 A example use of AFL-Unicorn mode is discussed in the Paper Unicorefuzz:
 https://www.usenix.org/conference/woot19/presentation/maier
 ## 3) Options
 As for the QEMU-based instrumentation, the afl-unicorn twist of afl++
 comes with a sub-instruction based instrumentation similar in purpose to laf-intel.
 The options that enables Unicorn CompareCoverage are the same used for QEMU.
 AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate
 values. QEMU_COMPCOV_LEVEL=2 instruments all
 comparison instructions. Comparison instructions are currently instrumented only
 on the x86 and x86_64 targets.
 ## 4) Gotchas, feedback, bugs
 To make sure that AFL's fork server starts up correctly the Unicorn test 
 harness script must emulate at least one instruction before loading the
 data that will be fuzzed from the input file. It doesn't matter what the
 instruction is, nor if it is valid. This is an artifact of how the fork-server
 is started and could likely be fixed with some clever re-arranging of the
 patches applied to Unicorn.
 Running the build script builds Unicorn and its python bindings and installs 
 them on your system. This installation will supersede any existing Unicorn
 installation with the patched afl-unicorn version.
 Refer to the unicorn_mode/samples/arm_example/arm_tester.c for an example
 of how to do this properly! If you don't get this right, AFL will not 
 load any mutated inputs and your fuzzing will be useless!
--- a/unicorn_mode/build_unicorn_support.sh
+++ b/unicorn_mode/build_unicorn_support.sh
@ -1,16 +1,20 @@
 #!/bin/sh
 #
-# american fuzzy lop - Unicorn-Mode build script
+# american fuzzy lop++ - unicorn mode build script
-# --------------------------------------
+# ------------------------------------------------
 #
-# Written by Nathan Voss <njvoss99@gmail.com>
+# Originally written by Nathan Voss <njvoss99@gmail.com>
 # 
 # Adapted from code by Andrew Griffiths <agriffiths@google.com> and
 #                      Michal Zalewski <lcamtuf@google.com>
 #
-# Adapted for Afl++ by Dominik Maier <mail@dmnk.co>
+# Adapted for AFLplusplus by Dominik Maier <mail@dmnk.co>
 #
 # CompareCoverage and NeverZero counters by Andrea Fioraldi
 #                                <andreafioraldi@gmail.com>
 #
 # Copyright 2017 Battelle Memorial Institute. All rights reserved.
 # Copyright 2019 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
--- a/unicorn_mode/patches/afl-unicorn-common.h
+++ b/unicorn_mode/patches/afl-unicorn-common.h
@ -1,17 +1,17 @@
 /*
-   american fuzzy lop - high-performance binary-only instrumentation
+   american fuzzy lop++ - unicorn instrumentation
-   -----------------------------------------------------------------
+   ----------------------------------------------
-   Written by Andrew Griffiths <agriffiths@google.com> and
+   Originally written by Andrew Griffiths <agriffiths@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski <lcamtuf@google.com>
   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>
   Adapted for afl-unicorn by Dominik Maier <mail@dmnk.co>
-   Idea & design very much by Andrew Griffiths.
+   CompareCoverage and NeverZero counters by Andrea Fioraldi
                                  <andreafioraldi@gmail.com>
-   Copyright 2015, 2016 Google Inc. All rights reserved.
+   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
   Copyright 2019 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@ -24,7 +24,7 @@
   to implement AFL-style instrumentation and to take care of the remaining
   parts of the AFL fork server logic.
-   The resulting QEMU binary is essentially a standalone instrumentation
+   The resulting libunicorn binary is essentially a standalone instrumentation
   tool; for an example of how to leverage it for other purposes, you can
   have a look at afl-showmap.c.
--- a/unicorn_mode/patches/afl-unicorn-cpu-inl.h
+++ b/unicorn_mode/patches/afl-unicorn-cpu-inl.h
@ -1,17 +1,17 @@
 /*
-   american fuzzy lop - high-performance binary-only instrumentation
+   american fuzzy lop++ - unicorn instrumentation
-   -----------------------------------------------------------------
+   ----------------------------------------------
-   Written by Andrew Griffiths <agriffiths@google.com> and
+   Originally written by Andrew Griffiths <agriffiths@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski <lcamtuf@google.com>
   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>
   Adapted for afl-unicorn by Dominik Maier <mail@dmnk.co>
-   Idea & design very much by Andrew Griffiths.
+   CompareCoverage and NeverZero counters by Andrea Fioraldi
                                  <andreafioraldi@gmail.com>
-   Copyright 2015, 2016 Google Inc. All rights reserved.
+   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
   Copyright 2019 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@ -24,7 +24,7 @@
   to implement AFL-style instrumentation and to take care of the remaining
   parts of the AFL fork server logic.
-   The resulting QEMU binary is essentially a standalone instrumentation
+   The resulting libunicorn binary is essentially a standalone instrumentation
   tool; for an example of how to leverage it for other purposes, you can
   have a look at afl-showmap.c.
--- a/unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h
+++ b/unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h
@ -1,17 +1,17 @@
 /*
-   american fuzzy lop - high-performance binary-only instrumentation
+   american fuzzy lop++ - unicorn instrumentation
-   -----------------------------------------------------------------
+   ----------------------------------------------
-   Written by Andrew Griffiths <agriffiths@google.com> and
+   Originally written by Andrew Griffiths <agriffiths@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski <lcamtuf@google.com>
   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>
   Adapted for afl-unicorn by Dominik Maier <mail@dmnk.co>
-   Idea & design very much by Andrew Griffiths.
+   CompareCoverage and NeverZero counters by Andrea Fioraldi
                                  <andreafioraldi@gmail.com>
-   Copyright 2015, 2016 Google Inc. All rights reserved.
+   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
   Copyright 2019 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@ -24,7 +24,7 @@
   to implement AFL-style instrumentation and to take care of the remaining
   parts of the AFL fork server logic.
-   The resulting QEMU binary is essentially a standalone instrumentation
+   The resulting libunicorn binary is essentially a standalone instrumentation
   tool; for an example of how to leverage it for other purposes, you can
   have a look at afl-showmap.c.
--- a/unicorn_mode/patches/afl-unicorn-tcg-op-inl.h
+++ b/unicorn_mode/patches/afl-unicorn-tcg-op-inl.h
@ -1,17 +1,17 @@
 /*
-   american fuzzy lop - high-performance binary-only instrumentation
+   american fuzzy lop++ - unicorn instrumentation
-   -----------------------------------------------------------------
+   ----------------------------------------------
-   Written by Andrew Griffiths <agriffiths@google.com> and
+   Originally written by Andrew Griffiths <agriffiths@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski <lcamtuf@google.com>
   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>
   Adapted for afl-unicorn by Dominik Maier <mail@dmnk.co>
-   Idea & design very much by Andrew Griffiths.
+   CompareCoverage and NeverZero counters by Andrea Fioraldi
                                  <andreafioraldi@gmail.com>
-   Copyright 2015, 2016 Google Inc. All rights reserved.
+   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
   Copyright 2019 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@ -24,7 +24,7 @@
   to implement AFL-style instrumentation and to take care of the remaining
   parts of the AFL fork server logic.
-   The resulting QEMU binary is essentially a standalone instrumentation
+   The resulting libunicorn binary is essentially a standalone instrumentation
   tool; for an example of how to leverage it for other purposes, you can
   have a look at afl-showmap.c.
--- a/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h
+++ b/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h
@ -1,17 +1,17 @@
 /*
-   american fuzzy lop - high-performance binary-only instrumentation
+   american fuzzy lop++ - unicorn instrumentation
-   -----------------------------------------------------------------
+   ----------------------------------------------
-   Written by Andrew Griffiths <agriffiths@google.com> and
+   Originally written by Andrew Griffiths <agriffiths@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski <lcamtuf@google.com>
   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>
   Adapted for afl-unicorn by Dominik Maier <mail@dmnk.co>
-   Idea & design very much by Andrew Griffiths.
+   CompareCoverage and NeverZero counters by Andrea Fioraldi
                                  <andreafioraldi@gmail.com>
-   Copyright 2015, 2016 Google Inc. All rights reserved.
+   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
   Copyright 2019 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@ -24,7 +24,7 @@
   to implement AFL-style instrumentation and to take care of the remaining
   parts of the AFL fork server logic.
-   The resulting QEMU binary is essentially a standalone instrumentation
+   The resulting libunicorn binary is essentially a standalone instrumentation
   tool; for an example of how to leverage it for other purposes, you can
   have a look at afl-showmap.c.
--- a/unicorn_mode/samples/compcov_x64/COMPILE.md
+++ b/unicorn_mode/samples/compcov_x64/COMPILE.md
@ -1,5 +1,4 @@
-Compiling compcov_target.c
+# Compiling compcov_target.c
 ==========================
 compcov_target.c was compiled without optimization, position-independent,
 and without standard libraries using the following command line:
--- a/unicorn_mode/samples/compcov_x64/compcov_target.c
+++ b/unicorn_mode/samples/compcov_x64/compcov_target.c
@ -7,7 +7,7 @@
 * (0x00300000), so make sure that your Unicorn emulation of this 
 * puts user data there.
 *
- * Written by Nathan Voss <njvoss99@gmail.com>
+ * Written by Andrea Fioraldi
 */
 // Magic address where mutated data will be placed
--- a/unicorn_mode/samples/simple/COMPILE.md
+++ b/unicorn_mode/samples/simple/COMPILE.md
@ -1,5 +1,4 @@
-Compiling simple_target.c
+# Compiling simple_target.c
 ==========================
 You shouldn't need to compile simple_target.c since a MIPS binary version is
 pre-built and shipped with afl-unicorn. This file documents how the binary
@ -38,4 +37,4 @@ mips-linux-gnu-gcc -o simple_target.elf simple_target.c -fPIC -O0 -nostdlib
 Note that the output of this is padded with nulls for 16-byte alignment. This is 
 important when emulating it, as NOPs will be added after the return of main()
-as necessary.
+as necessary.