/*afl-tmin

最新推荐文章于 2023-09-08 16:46:43 发布

原创

最新推荐文章于 2023-09-08 16:46:43 发布 · 622 阅读

0 ·

CC 4.0 BY-SA版权

AFL-tmin是模糊测试工具American Fuzzy Lop (AFL)的一个辅助工具，用于从大量测试输入中生成最小化的种子文件。它通过删除输入中的冗余部分，帮助缩小测试用例，从而更有效地进行模糊测试。AFL-tmin通过迭代过程找到能够触发同样代码路径的最小化输入，这对于理解和调试被测程序的行为非常有用。

/*afl-tmin：
独立工具，能够自动收缩测试用例，同时仍然确保它们在目标二进制文件中执行相同的功能（或者触发相同的崩溃）。
另一个类似的工具afl-cmin采用了类似的技巧来消除任何大型测试语料库中的冗余文件。*/

#define U32 unsigned int
#define U16 unsigned short
#define U8  unsigned char (byte)

#define S32 int
#define S16 short int
#define S8  char



#include <stdio.h>
#include <stdlib.h>

/* Main entry point */

int main(int argc, char** argv) //argv指向char*，即argv存的是指向字符串的指针的地址。
{
   
   

  s32 opt;
  u8  mem_limit_given = 0, timeout_given = 0, qemu_mode = 0; //u8：最大255
  char** use_argv;

  doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;     //R_OK文件是否可读 W_OK文件是否可写入 F_OK 文件是否存在

  SAYF(cCYA "afl-tmin " cBRI VERSION cRST " by <lcamtuf@google.com>\n");   

  while ((opt = getopt(argc,argv,"+i:o:f:m:t:B:xeQ")) > 0)   //每调用一次getopt返回一个选项，optarg是指向对应选项的参数指针。。
    switch (opt)                                             //从用户terminal输入中找到-i -t ...等配置
    {
   
   

      case 'i':

        if (in_file) FATAL("Multiple -i options not supported");
        in_file = optarg;
        break;

      case 'o':

        if (out_file) FATAL("Multiple -o options not supported");
        out_file = optarg;
        break;

      case 'f':

        if (prog_in) FATAL("Multiple -f options not supported");
        use_stdin = 0;
        prog_in   = optarg;
        break;

      case 'e':

        if (edges_only) FATAL("Multiple -e options not supported");
        edges_only = 1;
        break;

      case 'x':

        if (exit_crash) FATAL("Multiple -x options not supported");
        exit_crash = 1;
        break;

      case 'm': {
   
   

          u8 suffix = 'M';

          if (mem_limit_given) FATAL("Multiple -m options not supported");
          mem_limit_given = 1;

          if (!strcmp(optarg, "none")) {
   
   

            mem_limit = 0;
            break;

          }

          if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 ||
              optarg[0] == '-') FATAL("Bad syntax used for -m");

          switch (suffix) {
   
                               //定义

            case 'T': mem_limit *= 1024 * 1024; break;
            case 'G': mem_limit *= 1024; break;
            case 'k': mem_limit /= 1024; break;
            case 'M': break;

            default:  FATAL("Unsupported suffix or bad syntax for -m");

          }

          if (mem_limit < 5) FATAL("Dangerously low value of -m");

          if (sizeof(rlim_t) == 4 && mem_limit > 2000)
            FATAL("Value of -m out of range on 32-bit systems");

        }

        break;

      case 't':

        if (timeout_given) FATAL("Multiple -t options not supported");
        timeout_given = 1;

        exec_tmout = atoi(optarg);                          //用户输入空闲等待时间

        if (exec_tmout < 10 || optarg[0] == '-')
          FATAL("Dangerously low value of -t");

        break;

      case 'Q':

        if (qemu_mode) FATAL("Multiple -Q options not supported");
        if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU;

        qemu_mode = 1;
        break;

      case 'B': /* load bitmap */

        /* This is a secret undocumented option! It is speculated to be useful
           if you have a baseline "boring" input file and another "interesting"
           file you want to minimize.

           You can dump a binary bitmap for the boring file using
           afl-showmap -b, and then load it into afl-tmin via -B. The minimizer
           will then minimize to preserve only the edges that are unique to
           the interesting input file, but ignoring everything from the
           original map.

           The option may be extended and made more official if it proves
           to be useful. */

        if (mask_bitmap) FATAL("Multiple -B options not supported");