ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-09 00:31:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

update documentation

Browse Source
This commit is contained in:
van Hauser 2020-04-19 10:15:28 +02:00 committed by Dominik Maier
parent 5b9928f1a9
commit 8b3befea6d
2 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/Changelog.md
View File

@ -10,8 +10,15 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
### Version ++2.64d (develop): ### Version ++2.64d (develop):
- ... - qemu_mode:
- add information on PIE/PIC load addresses for 32 bit
- better dependency checks
- gcc_plugin:
- better dependency checks
- unicorn_mode:
- better submodule handling
- all:
- fix 32 bit build options
### Version ++2.64c (release): ### Version ++2.64c (release):

12
qemu_mode/README.persistent.md
View File

@ -23,8 +23,10 @@ in 2.2 and 2.3) have to be set.
This address (as well as the RET address, see below) has to be defined in This address (as well as the RET address, see below) has to be defined in
hexadecimal with the 0x prefix or as a decimal value. hexadecimal with the 0x prefix or as a decimal value.
If the target is compiled with position independant code (PIE/PIC), you must *Note:* If the target is compiled with position independant code (PIE/PIC)
add 0x4000000000 to that address, because qemu loads to this base address. qemu loads these to a specific base address.
For 64 bit you have to add 0x4000000000 (9 zeroes) and for 32 bit 0x40000000
(7 zeroes) to the address.
On strange setups the base address set by QEMU for PIE executable may change, On strange setups the base address set by QEMU for PIE executable may change,
you can check it printing the process map using you can check it printing the process map using
`AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace TARGET-BINARY` `AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace TARGET-BINARY`
@ -32,7 +34,7 @@ you can check it printing the process map using
If this address is not valid, afl-fuzz will error during startup with the If this address is not valid, afl-fuzz will error during startup with the
message that the forkserver was not found. message that the forkserver was not found.
### 2.2) the RET address ### 2.2) The RET address
The RET address is the last instruction of the persistent loop. The RET address is the last instruction of the persistent loop.
The emulator will emit a jump to START when translating the instruction at RET. The emulator will emit a jump to START when translating the instruction at RET.
@ -46,7 +48,7 @@ patch the return address (on stack or in the link register) to return to START
It is defined by setting AFL_QEMU_PERSISTENT_RET, and too 0x4000000000 has to It is defined by setting AFL_QEMU_PERSISTENT_RET, and too 0x4000000000 has to
be set if the target is position independant. be set if the target is position independant.
### 2.3) the OFFSET ### 2.3) The OFFSET
This option is valid only for x86/x86_64 only, arm/aarch64 do not save the This option is valid only for x86/x86_64 only, arm/aarch64 do not save the
return address on stack. return address on stack.
@ -72,7 +74,7 @@ Now to get this value right here some help:
8. again print the ESP value 8. again print the ESP value
9. calculate the difference between the two values - and this is the offset 9. calculate the difference between the two values - and this is the offset
### 2.4) resetting the register state ### 2.4) Resetting the register state
It is very, very likely you need to restore the general purpose registers state It is very, very likely you need to restore the general purpose registers state
when starting a new loop. Because of this you 99% of the time should set when starting a new loop. Because of this you 99% of the time should set