neverzero for unicorn_mode

2025-06-08 08:11:34 +00:00 · 2019-08-27 21:10:51 +02:00 · 2019-08-27 21:10:51 +02:00 · c5e0b29a22
commit c5e0b29a22
parent bec9b307db
3 changed files with 17 additions and 3 deletions
--- a/qemu_mode/patches/afl-qemu-translate-inl.h
+++ b/qemu_mode/patches/afl-qemu-translate-inl.h
@ -46,7 +46,7 @@ void afl_maybe_log(target_ulong cur_loc) {

  static __thread abi_ulong prev_loc;

-  register target_ulong afl_idx = cur_loc ^ prev_loc;
+  register uintptr_t afl_idx = cur_loc ^ prev_loc;

 #if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO)
  asm volatile (
--- a/unicorn_mode/build_unicorn_support.sh
+++ b/unicorn_mode/build_unicorn_support.sh
@ -144,7 +144,7 @@ echo "[+] Configuration complete."

 echo "[*] Attempting to build Unicorn (fingers crossed!)..."

-UNICORN_QEMU_FLAGS='--python=python2' make || exit 1
+UNICORN_QEMU_FLAGS='--python=python2' make -j `nproc` || exit 1

 echo "[+] Build process successful!"

--- a/unicorn_mode/patches/afl-unicorn-cpu-inl.h
+++ b/unicorn_mode/patches/afl-unicorn-cpu-inl.h
@ -241,7 +241,21 @@ static inline void afl_maybe_log(unsigned long cur_loc) {
  // DEBUG
  //printf("cur_loc = 0x%lx\n", cur_loc);  

-  afl_area_ptr[cur_loc ^ prev_loc]++;
+  register uintptr_t afl_idx = cur_loc ^ prev_loc;
+
+#if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO)
+  asm volatile (
+    "incb (%0, %1, 1)\n"
+    "seto %%al\n"
+    "addb %%al, (%0, %1, 1)\n"
+    : /* no out */
+    : "r" (afl_area_ptr), "r" (afl_idx)
+    : "memory", "eax"
+  );
+#else
+  afl_area_ptr[afl_idx]++;
+#endif
+
  prev_loc = cur_loc >> 1;

 }