1*08b48e0bSAndroid Build Coastguard Worker# Target Intelligence 2*08b48e0bSAndroid Build Coastguard Worker 3*08b48e0bSAndroid Build Coastguard WorkerThese are some ideas you can do so that your target that you are fuzzing can 4*08b48e0bSAndroid Build Coastguard Workergive helpful feedback to AFL++. 5*08b48e0bSAndroid Build Coastguard Worker 6*08b48e0bSAndroid Build Coastguard Worker## Add to the AFL++ dictionary from your target 7*08b48e0bSAndroid Build Coastguard Worker 8*08b48e0bSAndroid Build Coastguard WorkerFor this you target must be compiled for CMPLOG (`AFL_LLVM_CMPLOG=1`). 9*08b48e0bSAndroid Build Coastguard Worker 10*08b48e0bSAndroid Build Coastguard WorkerAdd in your source code: 11*08b48e0bSAndroid Build Coastguard Worker 12*08b48e0bSAndroid Build Coastguard Worker``` 13*08b48e0bSAndroid Build Coastguard Worker__attribute__((weak)) void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u64 len); 14*08b48e0bSAndroid Build Coastguard Worker__attribute__((weak)) void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr); 15*08b48e0bSAndroid Build Coastguard Worker__attribute__((weak)) void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2, uint8_t attr); 16*08b48e0bSAndroid Build Coastguard Worker__attribute__((weak)) void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2, uint8_t attr); 17*08b48e0bSAndroid Build Coastguard Worker__attribute__((weak)) void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2, uint8_t attr); 18*08b48e0bSAndroid Build Coastguard Worker 19*08b48e0bSAndroid Build Coastguard Workerint in_your_function(...) { 20*08b48e0bSAndroid Build Coastguard Worker 21*08b48e0bSAndroid Build Coastguard Worker // to add two strings to the AFL++ dictionary: 22*08b48e0bSAndroid Build Coastguard Worker if (__cmplog_rtn_hook_strn) 23*08b48e0bSAndroid Build Coastguard Worker __cmplog_rtn_hook_strn(string1, length_of_string1, string2, length_of_string2); 24*08b48e0bSAndroid Build Coastguard Worker 25*08b48e0bSAndroid Build Coastguard Worker // to add two 32 bit integers to the AFL++ dictionary: 26*08b48e0bSAndroid Build Coastguard Worker if (__cmplog_ins_hook4) 27*08b48e0bSAndroid Build Coastguard Worker __cmplog_ins_hook4(first_32_bit_var, second_32_bit_var, 0); 28*08b48e0bSAndroid Build Coastguard Worker 29*08b48e0bSAndroid Build Coastguard Worker} 30*08b48e0bSAndroid Build Coastguard Worker``` 31*08b48e0bSAndroid Build Coastguard Worker 32*08b48e0bSAndroid Build Coastguard WorkerNote that this only makes sense if these values are in-depth processed in the 33*08b48e0bSAndroid Build Coastguard Workertarget in a way that AFL++ CMPLOG cannot uncover these, e.g. if these values 34*08b48e0bSAndroid Build Coastguard Workerare transformed by a matrix computation. 35*08b48e0bSAndroid Build Coastguard Worker 36*08b48e0bSAndroid Build Coastguard WorkerFixed values are always better to give to afl-fuzz via a `-x dictionary`. 37*08b48e0bSAndroid Build Coastguard Worker 38*08b48e0bSAndroid Build Coastguard Worker## Add inputs to AFL++ dictionary from your target 39*08b48e0bSAndroid Build Coastguard Worker 40*08b48e0bSAndroid Build Coastguard WorkerIf for whatever reason you want your target to propose new inputs to AFL++, 41*08b48e0bSAndroid Build Coastguard Workerthen this is actually very easy. 42*08b48e0bSAndroid Build Coastguard WorkerThe environment variable `AFL_CUSTOM_INFO_OUT` contains the output directory 43*08b48e0bSAndroid Build Coastguard Workerof this run - including the fuzzer instance name (e.g. `default`), so if you 44*08b48e0bSAndroid Build Coastguard Workerrun `afl-fuzz -o out -S foobar`, the value would be `out/foobar`). 45*08b48e0bSAndroid Build Coastguard Worker 46*08b48e0bSAndroid Build Coastguard WorkerTo show afl-fuzz an input it should consider just do the following: 47*08b48e0bSAndroid Build Coastguard Worker 48*08b48e0bSAndroid Build Coastguard Worker1. create the directory `$AFL_CUSTOM_INFO_OUT/../target/queue` 49*08b48e0bSAndroid Build Coastguard Worker2. create any new inputs you want afl-fuzz to notice in that directory with the 50*08b48e0bSAndroid Build Coastguard Worker following naming convention: `id:NUMBER-OF-LENGTH-SIX-WITH-LEADING-ZEROES,whatever` 51*08b48e0bSAndroid Build Coastguard Worker where that number has to be increasing. 52*08b48e0bSAndroid Build Coastguard Worker e.g.: 53*08b48e0bSAndroid Build Coastguard Worker``` 54*08b48e0bSAndroid Build Coastguard Worker id:000000,first_file 55*08b48e0bSAndroid Build Coastguard Worker id:000001,second_file 56*08b48e0bSAndroid Build Coastguard Worker id:000002,third_file 57*08b48e0bSAndroid Build Coastguard Worker etc. 58*08b48e0bSAndroid Build Coastguard Worker``` 59*08b48e0bSAndroid Build Coastguard Worker 60*08b48e0bSAndroid Build Coastguard WorkerNote that this will not work in nyx_mode because afl-fuzz cannot see inside the 61*08b48e0bSAndroid Build Coastguard Workervirtual machine. 62