Closed psparc82 closed 7 months ago
Any help?
Not sure which example you are looking at but they usually ship with 2 scripts, a saver which gets the binary into a state where the target func can be called which then dumps the entire state, memory, registers, etc all to a file called snapshot.bin.
Then in the fuzzer script you can call your target function with fuzzer input and then restore the context from snapshot.bin and send another input and so on...
@iMoD1998 Thanks for clearing that up!
Hi,
I'm trying to understand at a high level how Qiling fuzzes with AFL++ and unicorn. The fuzzing examples and documentation don't fully explain it. So here's a few questions:
ql.hook_address(start_afl, target_func_addr
, thenql.run()
) does this do the following?target_func_addr
is hittarget_func_addr
and doesn't restart the binary from the beginning for each fuzz?target_func_addr
is called?Any sort of diagram / order of events explaining how the fuzzing works would be great!
Thanks for reading and thanks for the excellent project