$ cat test.c
#include <stdio.h>

void foo(int i, char *tab)
{
  printf("%c\n", tab[i]);
}

int main(int ac, const char *av[])
{
  char tab[36] = "qwertyuiopasdfghjklzxcvbnm1234567890";
  
  if (ac == 2)
    foo(atoi(av[1]), tab);
  
  return 0;
}

$ objdump -d ./test
[...]
0000000000400584 <foo>:
  400584:   55                      push   rbp
  400585:   48 89 e5                mov    rbp,rsp
  400588:   48 83 ec 10             sub    rsp,0x10
  40058c:   89 7d fc                mov    DWORD PTR [rbp-0x4],edi
  40058f:   48 89 75 f0             mov    QWORD PTR [rbp-0x10],rsi
  400593:   8b 45 fc                mov    eax,DWORD PTR [rbp-0x4]
  400596:   48 98                   cdqe   
  400598:   48 03 45 f0             add    rax,QWORD PTR [rbp-0x10]
  40059c:   0f b6 00                movzx  eax,BYTE PTR [rax]
  40059f:   0f be d0                movsx  edx,al
  4005a2:   b8 2c 07 40 00          mov    eax,0x40072c
  4005a7:   89 d6                   mov    esi,edx
  4005a9:   48 89 c7                mov    rdi,rax
  4005ac:   b8 00 00 00 00          mov    eax,0x0
  4005b1:   e8 ba fe ff ff          call   400470 <printf@plt>
  4005b6:   c9                      leave  
  4005b7:   c3                      ret    

00000000004005b8 <main>:
  4005b8:   55                      push   rbp
  4005b9:   48 89 e5                mov    rbp,rsp
  4005bc:   48 83 ec 40             sub    rsp,0x40
  4005c0:   89 7d cc                mov    DWORD PTR [rbp-0x34],edi
  4005c3:   48 89 75 c0             mov    QWORD PTR [rbp-0x40],rsi
  4005c7:   c7 45 d0 71 77 65 72    mov    DWORD PTR [rbp-0x30],0x72657771
  4005ce:   c7 45 d4 74 79 75 69    mov    DWORD PTR [rbp-0x2c],0x69757974
  4005d5:   c7 45 d8 6f 70 61 73    mov    DWORD PTR [rbp-0x28],0x7361706f
  4005dc:   c7 45 dc 64 66 67 68    mov    DWORD PTR [rbp-0x24],0x68676664
  4005e3:   c7 45 e0 6a 6b 6c 7a    mov    DWORD PTR [rbp-0x20],0x7a6c6b6a
  4005ea:   c7 45 e4 78 63 76 62    mov    DWORD PTR [rbp-0x1c],0x62766378
  4005f1:   c7 45 e8 6e 6d 31 32    mov    DWORD PTR [rbp-0x18],0x32316d6e
  4005f8:   c7 45 ec 33 34 35 36    mov    DWORD PTR [rbp-0x14],0x36353433
  4005ff:   c7 45 f0 37 38 39 30    mov    DWORD PTR [rbp-0x10],0x30393837
  400606:   83 7d cc 02             cmp    DWORD PTR [rbp-0x34],0x2
  40060a:   75 26                   jne    400632 <main+0x7a>
  40060c:   48 8b 45 c0             mov    rax,QWORD PTR [rbp-0x40]
  400610:   48 83 c0 08             add    rax,0x8
  400614:   48 8b 00                mov    rax,QWORD PTR [rax]
  400617:   48 89 c7                mov    rdi,rax
  40061a:   b8 00 00 00 00          mov    eax,0x0
  40061f:   e8 6c fe ff ff          call   400490 <atoi@plt>
  400624:   48 8d 55 d0             lea    rdx,[rbp-0x30]
  400628:   48 89 d6                mov    rsi,rdx
  40062b:   89 c7                   mov    edi,eax
  40062d:   e8 52 ff ff ff          call   400584 <foo>
  400632:   b8 00 00 00 00          mov    eax,0x0
  400637:   c9                      leave  
  400638:   c3                      ret    
  400639:   0f 1f 80 00 00 00 00    nop    DWORD PTR [rax+0x0]
[...]


In the foo() function, RDI is the first argument (i and atoi(av[1])), it can
be controlled by the
user. So, we fuzz RDI with the random value between 0x0000 and 0x3000.

$ ../../../pin -t ./obj-intel64/InMemoryFuzzing.so -start 0x400584 -end
0x4005b7 -rdi random -maxrand 0x3000 -- ./test 1
[Save Context]
[CONTEXT]=----------------------------------------------------------
RAX = 0000000000000001 RBX = 0000000000000000 RCX = 00007fff96fe3170
RDX = 00007fff96fe1f60 RDI = 0000000000001ff6 RSI = 00007fff96fe1f60
RBP = 00007fff96fe1f90 RSP = 00007fff96fe1f48 EIP = 0000000000400585
+-------------------------------------------------------------------
+--> 400585: mov rbp, rsp
+--> 400588: sub rsp, 0x10
+--> 40058c: mov dword ptr [rbp-0x4], edi
+--> 40058f: mov qword ptr [rbp-0x10], rsi
+--> 400593: mov eax, dword ptr [rbp-0x4]
+--> 400596: cdqe 
+--> 400598: add rax, qword ptr [rbp-0x10]
+--> 40059c: movzx eax, byte ptr [rax]
+--> 40059f: movsx edx, al
+--> 4005a2: mov eax, 0x40072c
+--> 4005a7: mov esi, edx
+--> 4005a9: mov rdi, rax
+--> 4005ac: mov eax, 0x0
+--> 4005b1: call 0x400470
+--> 400470: jmp qword ptr [rip+0x200ba2]
+--> 400476: push 0x0
+--> 40047b: jmp 0x400460
+--> 400460: push qword ptr [rip+0x200ba2]
+--> 400466: jmp qword ptr [rip+0x200ba4]
A
+--> 4005b6: leave 
+--> 4005b7: ret 
[Restore Context]
[Save Context]
[CONTEXT]=----------------------------------------------------------
RAX = 0000000000000001 RBX = 0000000000000000 RCX = 00007fff96fe3170
RDX = 00007fff96fe1f60 RDI = 00000000000014e7 RSI = 00007fff96fe1f60
RBP = 00007fff96fe1f90 RSP = 00007fff96fe1f48 EIP = 0000000000400585
+-------------------------------------------------------------------
+--> 400585: mov rbp, rsp
+--> 400588: sub rsp, 0x10
+--> 40058c: mov dword ptr [rbp-0x4], edi
+--> 40058f: mov qword ptr [rbp-0x10], rsi
+--> 400593: mov eax, dword ptr [rbp-0x4]
+--> 400596: cdqe 
+--> 400598: add rax, qword ptr [rbp-0x10]
+--> 40059c: movzx eax, byte ptr [rax]
+--> 40059f: movsx edx, al
+--> 4005a2: mov eax, 0x40072c
+--> 4005a7: mov esi, edx
+--> 4005a9: mov rdi, rax
+--> 4005ac: mov eax, 0x0
+--> 4005b1: call 0x400470
+--> 400470: jmp qword ptr [rip+0x200ba2]
t
+--> 4005b6: leave 
+--> 4005b7: ret 
[Restore Context]
[Save Context]
[CONTEXT]=----------------------------------------------------------
RAX = 0000000000000001 RBX = 0000000000000000 RCX = 00007fff96fe3170
RDX = 00007fff96fe1f60 RDI = 0000000000002d88 RSI = 00007fff96fe1f60
RBP = 00007fff96fe1f90 RSP = 00007fff96fe1f48 EIP = 0000000000400585
+-------------------------------------------------------------------
+--> 400585: mov rbp, rsp
+--> 400588: sub rsp, 0x10
+--> 40058c: mov dword ptr [rbp-0x4], edi
+--> 40058f: mov qword ptr [rbp-0x10], rsi
+--> 400593: mov eax, dword ptr [rbp-0x4]
+--> 400596: cdqe 
+--> 400598: add rax, qword ptr [rbp-0x10]
+--> 40059c: movzx eax, byte ptr [rax]


/!\ SIGSEGV received /!\
[SIGSGV]=----------------------------------------------------------
RAX = 00007fff96fe4ce8 RBX = 0000000000000000 RCX = 00007fff96fe3170
RDX = 00007fff96fe1f60 RDI = 0000000000002d88 RSI = 00007fff96fe1f60
RBP = 00007fff96fe1f48 RSP = 00007fff96fe1f38 EIP = 000000000040059c
+-------------------------------------------------------------------
[2]    11929 segmentation fault  ../../../pin -t
./obj-intel64/InMemoryFuzzing.so -start 0x400584 -end 0x4005b
$

We got a SIGSEGV with RDI = 0x2d88