FPicker with AFL++ v4.20/Frida v16.2.1 #32
Description
Hello,
I have built Frida, AFL++ and FPicker on a custom Linux target.
Frida JS injection/tracing seems to work, FPicker in standalone mode works (attach/in-process, shm or send).
I am trying AFL FPicker mode and it appears to fail
[*] Spinning up the fork server...
[!] WARNING: Old fork server model is used by the target, this still works though.
[+] All right - old fork server is up.
[*] Extended forkserver functions received (00000000).
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:001.bin'...
[D] DEBUG: calibration stage 1/7
[-] PROGRAM ABORT : No instrumentation detected
Location : perform_dry_run(), src/afl-fuzz-init.c:1238
Quick question; would you know if the AFL++ vs FPicker combo I am running is compatible?
Looking through the AFL++ afl-proxy.c example, it looks like that (assuming NOT USEMMAP) AFL++
expects the proxy to
__afl_area_ptr = shmat(shm_id, 0, 0);
and write the coverage to __afl_area_ptr, and I understand that in FPicker this is done in harness/fuzzer.js. But it doesn't seem to work.
I don't mind trying to figure out how to get it to work, but I figure I ask first what you think about this.
Thanks!