Fuzzing Control Transfer Instructions

Earlier last year, I wrote about my Flash fuzzer for example here and here.

This weekend I just added a little improvement to it. Since I was able to reach the byte codes of DoABC tag and to parse them, there is a lot of possibility to implement fuzzing opportunities by little changes.

What I did is the ability to alter control transfer instructions for ifeq, iffalse, ifge, ifgt, ifle, iflt, ifnge, ifngt, ifnle, ifnlt, ifne, ifstricteq, ifstrictne, iftrue, jump to change the target address of them. These instructions take only one operand that is fixed-length: 24-bit signed integer that is 3 bytes, so it was very straightforward to parse and change them.

One thing I wanted to pay attention that is the target of jumps should be within the region of the method but it was quick to implement this because the method addresses and sizes are already available from the parser info.