Unicorn CPU emulator framework (ARM, AArch64, M68K, Mips, Sparc, PowerPC, RiscV, X86)

Overview

Unicorn Engine

Join the chat at https://gitter.im/unicorn-engine/chat Build Status pypi downloads Fuzzing Status

Unicorn is a lightweight, multi-platform, multi-architecture CPU emulator framework based on QEMU.

Unicorn offers some unparalleled features:

  • Multi-architecture: ARM, ARM64 (ARMv8), M68K, MIPS, SPARC, and X86 (16, 32, 64-bit)
  • Clean/simple/lightweight/intuitive architecture-neutral API
  • Implemented in pure C language, with bindings for Crystal, Clojure, Visual Basic, Perl, Rust, Ruby, Python, Java, .NET, Go, Delphi/Free Pascal, Haskell, Pharo, and Lua.
  • Native support for Windows & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed)
  • High performance via Just-In-Time compilation
  • Support for fine-grained instrumentation at various levels
  • Thread-safety by design
  • Distributed under free software license GPLv2

Further information is available at http://www.unicorn-engine.org

License

This project is released under the GPL license.

Compilation & Docs

See docs/COMPILE.md file for how to compile and install Unicorn.

More documentation is available in docs/README.md.

Contact

Contact us via mailing list, email or twitter for any questions.

Contribute

If you want to contribute, please pick up something from our Github issues.

We also maintain a list of more challenged problems in a TODO list.

CREDITS.TXT records important contributors of our project.

Comments
  • IMUL mem/Ib DWORD; OPC_IMUL_GvEvIb;

    IMUL mem/Ib DWORD; OPC_IMUL_GvEvIb; "imul eax, [ecx+0x41], 0x10"

    In Intel IMUL opcode described in one method using different descriptions:

    • 6B / r ib IMUL r32, imm8 doubleword register = doubleword register * sign-extended immediate byte
    • imul Gv, Ev, I
    • OPC_IMUL_GvEvIb
    • imul eax, [ecx+0x41], 0x10
    • 6b414110 imul eax,DWORD PTR [ecx+0x41],0x10

    When encountering an IMUL opcode of i386 architecture, specifically when using with an immediate 8-bit multiplier, the emulator engine does not properly multiply the number 0x5151494a by 0x10 and get the expected 0x151494a0 result.

    Interesting thing, is that a standalone IMUL instruction works, but this stack-based AlphaMixed code snippet (derived from Metasploit) failed.

    Will submit working proof-of-failure code soon.

    bug 
    opened by egberts 72
  • Python 3.5 dynamic library load error

    Python 3.5 dynamic library load error

    I've been battling with running the python bindings on python 3.5.

    I keep getting a ImportError: ERROR: fail to load the dynamic library. however I have checked that all libraries are present in .\unicorn\lib

        Directory: C:\Python\Lib\site-packages\unicorn\lib
    
    
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -a----       2016/09/24   7:23 PM         122036 libgcc_s_dw2-1.dll
    -a----       2016/09/24   3:17 PM          83742 libgcc_s_seh-1.dll
    -a----       2016/10/13   7:02 PM        1124259 libglib-2.0-0.dll
    -a----       2015/06/29   1:25 PM        1050543 libiconv-2.dll
    -a----       2016/03/31   8:50 AM         132717 libintl-8.dll
    -a----       2016/10/09   5:46 PM          56978 libwinpthread-1.dll
    -a----       2016/10/31   9:10 PM       26335738 unicorn.dll
    

    The library does load the directories correctly

    [-] path: 'C:\Python\lib\site-packages\unicorn\lib'
            [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libwinpthread-1.dll
            [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libgcc_s_seh-1.dll
            [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libgcc_s_dw2-1.dll
    [-] path: 'C:\Python\lib\site-packages\unicorn\lib'
            [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libwinpthread-1.dll
            [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libgcc_s_seh-1.dll
            [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libgcc_s_dw2-1.dll
    [-] path: ''
            [+] lib_file: libwinpthread-1.dll
            [+] lib_file: libgcc_s_seh-1.dll
            [+] lib_file: libgcc_s_dw2-1.dll
            [+] lib_file: libiconv-2.dll
            [+] lib_file: libintl-8.dll
            [+] lib_file: libglib-2.0-0.dll
    [-] path: 'C:\Python\Lib\site-packages'
            [+] lib_file: C:\Python\Lib\site-packages\libwinpthread-1.dll
            [+] lib_file: C:\Python\Lib\site-packages\libgcc_s_seh-1.dll
            [+] lib_file: C:\Python\Lib\site-packages\libgcc_s_dw2-1.dll
            [+] lib_file: C:\Python\Lib\site-packages\libiconv-2.dll
            [+] lib_file: C:\Python\Lib\site-packages\libintl-8.dll
            [+] lib_file: C:\Python\Lib\site-packages\libglib-2.0-0.dll
    [-] path: 'C:\Python\Lib\site-packages\unicorn\lib'
            [+] lib_file: C:\Python\Lib\site-packages\unicorn\lib\libwinpthread-1.dll
            [+] lib_file: C:\Python\Lib\site-packages\unicorn\lib\libgcc_s_seh-1.dll
            [+] lib_file: C:\Python\Lib\site-packages\unicorn\lib\libgcc_s_dw2-1.dll
    [-] path: '/usr/lib64'
            [+] lib_file: /usr/lib64\libwinpthread-1.dll
            [+] lib_file: /usr/lib64\libgcc_s_seh-1.dll
            [+] lib_file: /usr/lib64\libgcc_s_dw2-1.dll
            [+] lib_file: /usr/lib64\libiconv-2.dll
            [+] lib_file: /usr/lib64\libintl-8.dll
            [+] lib_file: /usr/lib64\libglib-2.0-0.dll
    Traceback (most recent call last):
      File "shellcode.py", line 5, in <module>
        from unicorn import *
      File "C:\Python\lib\site-packages\unicorn\__init__.py", line 4, in <module>
        from .unicorn import Uc, uc_version, uc_arch_supported, version_bind, debug, UcError, __version__
      File "C:\Python\lib\site-packages\unicorn\unicorn.py", line 75, in <module>
        raise ImportError("ERROR: fail to load the dynamic library.")
    ImportError: ERROR: fail to load the dynamic library.
    

    Note: the extra path was a hard-coded one for debugging.

    I have no idea what the issue is here. You can see the hap-hazard file loading from a little debug print() I did :/

    Its also worth noting that I have attempt the "official" 0.9 release from the website as well as my own build. Same issue regardless.

    bug 
    opened by CryptXor 53
  • update bindings to support uc_context_save() & uc_context_restore()

    update bindings to support uc_context_save() & uc_context_restore()

    attention: @sashs, @enkomio, @adrianherrera, @cseagle, @xorstream, @lunixbochs.

    recently we have new APIs uc_context_save() & uc_context_restore(). at the moment, only Python binding supports these API.

    thus we need to update other bindings: .Net, Go, Haskell, Java, msvc & ruby.

    thanks!

    help wanted TODO IMPORTANT CHANGE 
    opened by aquynh 49
  • M1 Max jit_write_protect issue

    M1 Max jit_write_protect issue

    Moved to Unicorn 2 for M1 support. Getting this ~50% of the time

    MIPS CPU, with Go bindings if it matters. Perhaps someone has an idea.

    Process 34232 stopped
    * thread #10, stop reason = EXC_BAD_ACCESS (code=2, address=0x280000098)
        frame #0: 0x0000000101040a14 libunicorn.2.dylib`tb_gen_code_mips + 304
    libunicorn.2.dylib`tb_gen_code_mips:
    ->  0x101040a14 <+304>: str    x8, [x9, #0x18]
        0x101040a18 <+308>: ldur   w8, [x29, #-0x14]
        0x101040a1c <+312>: ldur   x9, [x29, #-0x38]
        0x101040a20 <+316>: str    w8, [x9]
    Target 0: (mipsevm.test) stopped.
    (lldb) bt
    * thread #10, stop reason = EXC_BAD_ACCESS (code=2, address=0x280000098)
      * frame #0: 0x0000000101040a14 libunicorn.2.dylib`tb_gen_code_mips + 304
        frame #1: 0x000000010102b74c libunicorn.2.dylib`tb_find + 92
        frame #2: 0x000000010102b1b0 libunicorn.2.dylib`cpu_exec_mips + 244
        frame #3: 0x0000000100fd8ce0 libunicorn.2.dylib`tcg_cpu_exec + 76
        frame #4: 0x0000000100fd8c0c libunicorn.2.dylib`resume_all_vcpus_mips + 96
        frame #5: 0x0000000100fd8dfc libunicorn.2.dylib`vm_start_mips + 24
        frame #6: 0x0000000100fc676c libunicorn.2.dylib`uc_emu_start + 352
        frame #7: 0x00000001002f7f04 mipsevm.test`_cgo_81152a5834e5_Cfunc_uc_emu_start + 44
    

    Speed isn't that important to me, is there any way to disable threading?

    bug 
    opened by geohot 48
  • Add ability to mark memory area read only. Add new API uc_mem_map_ex t…

    Add ability to mark memory area read only. Add new API uc_mem_map_ex t…

    Add ability to mark memory area read only. Add new API uc_mem_map_ex to allow permissions to be passed. Change MemoryBlock to track created MemoryRegions. Add regress/ro_mem_test.c

    This also solves the memory leak issue on uc->ram because now all MemoryRegion allocations are tracked in the uc->mapped_blocks array.

    opened by cseagle 42
  • remove glib dependency by providing compatible replacements

    remove glib dependency by providing compatible replacements

    Added glib compatible replacements for all glib functions used in unicorn. Removed glib dependencies in Makefiles. I threw the list and hash table implementations together and have paid no attention to their performance. Feel free to replace the hash table implementation with something that performs better. Need help testing. All samples and unit tests run with same results as master on the following platforms: win32 (using mingw), OS X 64, Linux 32, Linux 64. Have not done much testing beyond that.

    opened by cseagle 36
  • New feature: registers can be bulk saved/restored in an opaque blob

    New feature: registers can be bulk saved/restored in an opaque blob

    This is a feature that is required for UC integration in angr. We need to be able to efficiently roll back the state at a whim when we encounter symbolic data that cannot be processed by unicorn.

    Originally, our internal code was just including the appropriate private header files and performing this operation manually, but as we're gearing up for distribution, this won't do. So, new feature!

    I've done nothing but the bare minimum to demonstrate that it works and is useful since I don't know if this is a feature you'd appreciate having.

    opened by rhelmot 33
  • IBM Z (aka SystemZ / SysZ / s390x) architecture support

    IBM Z (aka SystemZ / SysZ / s390x) architecture support

    Hi,

    I was wondering what would it take to support IBM Z in unicorn-engine? QEMU 2.1.2 seems to have sufficient support for it, so I assume the main missing things are these?

    • UC_* defines
    • machine definition
    • hooks
    • build system support

    Also, based on https://github.com/unicorn-engine/unicorn/issues/1438, do I get it right that such contribution would have to wait until unicorn 2 is out, or would it make sense to also do this for 1.x?

    Best regards, Ilya

    pinned 
    opened by iii-i 32
  • Run Unit Test in Travis builds

    Run Unit Test in Travis builds

    osx in Travis has brew available without sudo, easy to install cmocka

    For linux and appveyor, I created a small script to download and compile cmocka.

    Unit test test_tb_x86_64_32_imul_Gv_Ev_Ib now failing on all platforms

    TODO: see if clang works in cygwin for builds, currently following up with cmocka

    What about changing the tests/unit to pass and adding it to the build process? Maybe bindings too?

    opened by stephengroat 32
  • PPC support

    PPC support

    I've made only few tests so far: basic arithmetic, and strlen(). No stack-related tests, no tests for resource leaks on multiple runs, no tests for hooks. Also it is limited to e500v2 and built only in ubuntu/amd64/gcc environment. So this is surely work in progress. However the changes to the common part of unicorn are few and easy to review and most likely they are not going to introduce any problem with non-ppc platforms. So if you accept the changes you are going to have an otherwise stable engine with experimental unstable ppc support.

    opened by simigo79 31
  • roadmap to Qemu 2.5 syncing

    roadmap to Qemu 2.5 syncing

    i wanted to straightly upgrade to Qemu 2.5, but there is a lot of code changed from Qemu 2.2.1, which Unicorn is based on.

    therefore, i will break this down in few phases to make it more manageable, and also easier to track bugs introduced by this task:

    • upgrade to 2.3.1
    • upgrade to 2.4.1
    • upgrade to 2.5

    expect more update on this work later.

    TODO 
    opened by aquynh 30
  • Fix crashes on M1

    Fix crashes on M1

    See #1615

    I just merged the changes from https://github.com/QDucasse/unicorn/pull/2. Unfortunately this doesn't seem to fix everything. The new state of the tests on the M1:

    ./build/test_x86
    Test test_x86_in...                             [ OK ]
    Test test_x86_out...                            [ OK ]
    Test test_x86_mem_hook_all...                     Test interrupted by signal 10.
    Test test_x86_inc_dec_pxor...                   [ OK ]
    Test test_x86_relative_jump...                  [ OK ]
    Test test_x86_loop...                           [ OK ]
    Test test_x86_invalid_mem_read...               [ OK ]
    Test test_x86_invalid_mem_write...              [ OK ]
    Test test_x86_invalid_jump...                   [ OK ]
    Test test_x86_64_syscall...                     [ OK ]
    Test test_x86_16_add...                         [ OK ]
    Test test_x86_reg_save...                       [ OK ]
    Test test_x86_invalid_mem_read_stop_in_cb...    [ OK ]
    Test test_x86_x87_fnstenv...                    [ OK ]
    Test test_x86_mmio...                           [ OK ]
    Test test_x86_missing_code...                   [ OK ]
    Test test_x86_smc_xor...                        [ OK ]
    Test test_x86_mmio_uc_mem_rw...                 [ OK ]
    Test test_x86_sysenter...                       [ OK ]
    Test test_x86_hook_cpuid...                     [ OK ]
    Test test_x86_486_cpuid...                      [ OK ]
    Test test_x86_clear_tb_cache...                 [ OK ]
    Test test_x86_clear_empty_tb...                 [ OK ]
    Test test_x86_hook_tcg_op...                    [ OK ]
    Test test_x86_cmpxchg...                        [ OK ]
    Test test_x86_nested_emu_start...               [ OK ]
    Test test_x86_nested_emu_stop...                [ OK ]
    Test test_x86_64_nested_emu_start_error...      [ OK ]
    Test test_x86_eflags_reserved_bit...            [ OK ]
    Test test_x86_nested_uc_emu_start_exits...      [ OK ]
    Test test_x86_clear_count_cache...                Test interrupted by signal 10.
    Test test_x86_correct_address_in_small_jump_hook... [ OK ]
    Test test_x86_correct_address_in_long_jump_hook... [ OK ]
    Test test_x86_invalid_vex_l...                  [ OK ]
    Test test_x86_lazy_mapping...                   [ OK ]
    Test test_x86_cpuid_1...                        [ OK ]
    FAILED: 2 of 36 unit tests have failed.
    
    opened by mrexodia 1
  • Check Unicorn memory regions after address translation

    Check Unicorn memory regions after address translation

    Description While emulating a binary that configures and enables the MMU both physical and virtual address ranges has to be added to the Unicorn instance beforehand. Unicorn will never access the added virtual range but it will do the address translation and as expected it accesses the memory area at the physical address range. However it will crash with an unmapped memory error if the virtual address range is not added to the unicorn instance. What I see as a problem is that load_helper and store_helper functions do the Unicorn memory region lookup first and then do the address translation after it. This works fine if the MMU is disabled as the address translator will simply return the original address. However with the MMU enabled Unicorn won't find the address range for the virtual address before translation but it would find it after translating it to a physical address. I've observed the issue with ARM and ARM64 architectures but I can imagine it affects others too.

    I think these is the same issue: #1602

    Tested with Unicorn 2.0.0 and aarch64-linux-gnu-gcc 12.2.0

    Example I've prepared a simple ARM64 example for demonstrating the issue. I've also attached the complete test environment. unicorn_mmu_bug.zip

    test_mmu.s

    • The code starts with the MMU being turned off
    • We load the binary to the 0x0000_0000 address
    • We read data from 0x4000_0000, note that this is now a physical address
    • Enable MMU with the mapping below
      • 0x0000_0000- 0x3fff_ffff -> 0x0000_0000 - 0x3fff_ffff
      • 0x4000_0000- 0x7fff_ffff -> 0x4000_0000 - 0x7fff_ffff
      • 0x8000_0000- 0xbfff_ffff -> 0x4000_0000 - 0x7fff_ffff
      • 0xc000_0000- 0xffff_ffff -> 0x4000_0000 - 0x7fff_ffff
    • With this MMU setting we can read the 0x4000_0000 address by reading 0x4000_0000, 0x8000_0000 or 0xc000_0000.
    • Read 0x8000_0000, which should be translated to 0x4000_0000 and we should get the same value as we got by reading 0x4000_0000 before as a physical address.
    • The two read results are in X1 and X2 registers.
    // Based on https://developer.arm.com/documentation/dai0527/a/
    
        .global _start
    _start:
        // Read data from physical address
        ldr X0, =0x40000000
        ldr X1, [X0]
    
        // Initialize translation table control registers
        ldr X0, =0x180803F20
        msr TCR_EL1, X0
        ldr X0, =0xFFFFFFFF
        msr MAIR_EL1, X0
    
        // Set translation table
        adr X0, ttb0_base
        msr TTBR0_EL1, X0
    
        // Enable caches and the MMU
        mrs X0, SCTLR_EL1
        orr X0, X0, #(0x1 << 2) // The C bit (data cache).
        orr X0, X0, #(0x1 << 12) // The I bit (instruction cache)
        orr X0, X0, #0x1 // The M bit (MMU).
        msr SCTLR_EL1, X0
        dsb SY
        isb
    
        // Read the same memory area through virtual address
        ldr X0, =0x80000000
        ldr X2, [X0]
    
        // Stop
        b .
    
        // Put a 64-bit value with little endianness.
        .macro PUT_64B high, low
        .word \low
        .word \high
        .endm
    
        // Create an entry for a 1GB block.
        .macro BLOCK_1GB PA, ATTR_HI, ATTR_LO
        PUT_64B \ATTR_HI, ((\PA) & 0xC0000000) | \ATTR_LO | 0x1
        .endm
    
        .align 12 // 12 for 4KB granule.
    ttb0_base:
        BLOCK_1GB 0x00000000, 0, 0x740
        BLOCK_1GB 0x40000000, 0, 0x740
        BLOCK_1GB 0x40000000, 0, 0x740
        BLOCK_1GB 0x40000000, 0, 0x740
    

    test_mmu.py

    • Map 0x0000_0000 - 0x0000_2000 for the binary
    • Map 0x4000_0000 - 0x4000_1000 for the test data, fill with 0x44
    • Map 0x8000_0000 - 0x8000_1000 for the virtual area that we read if argv[1] == map_va, fill with 0x88
    • Start emulation and print results
    from unicorn import *
    from unicorn.arm64_const import *
    import sys
    
    map_virtual_area = len(sys.argv) > 1 and sys.argv[1] == "map_va"
    
    uc = Uc(UC_ARCH_ARM64, UC_MODE_ARM)
    
    uc.mem_map(0x0000_0000, 0x2000, UC_PROT_ALL)
    uc.mem_map(0x4000_0000, 0x1000, UC_PROT_ALL)
    
    if map_virtual_area:
        uc.mem_map(0x8000_0000, 0x1000, UC_PROT_ALL)
    
    with open("test_mmu.bin", "rb") as f:
        uc.mem_write(0x0000_0000, f.read())
    uc.mem_write(0x4000_0000, bytes([0x44] * 0x1000))
    
    if map_virtual_area:
        uc.mem_write(0x8000_0000, bytes([0x88] * 0x1000))
    
    try:
        uc.emu_start(0, 0x44, count=100)
    except UcError as e:
        print("Unicorn error:", e)
    
    print(f"PC = 0x{uc.reg_read(UC_ARM64_REG_PC):08x}")
    print(f"X0 = 0x{uc.reg_read(UC_ARM64_REG_X0):08x}")
    print(f"X1 = 0x{uc.reg_read(UC_ARM64_REG_X1):08x}")
    print(f"X2 = 0x{uc.reg_read(UC_ARM64_REG_X2):08x}")
    

    Results

    $ python test_mmu.py 
    Unicorn error: Invalid memory read (UC_ERR_READ_UNMAPPED)
    PC = 0x00000040
    X0 = 0x80000000
    X1 = 0x4444444444444444
    X2 = 0x00000000
    $ python test_mmu.py map_va
    PC = 0x00000044
    X0 = 0x80000000
    X1 = 0x4444444444444444
    X2 = 0x4444444444444444
    

    Note that if the virtual address is mapped, it correctly read the 0x4444444444444444 from the physical address range.

    opened by imre-kis-arm 3
  • Incorrect Jitted Code For a SHL Instruction Resulting From a MEM_WRITE

    Incorrect Jitted Code For a SHL Instruction Resulting From a MEM_WRITE

    A colleague and I ran across this issue when noticing that the shl instruction below neglects to set the CF, when it is supposed to. Upon digging into why this was the case, it turns out that the JIT'd code for this translation block is completely off and comes as a result of a MEM_WRITE hook being called when lifting the shl to its TCGOp representation that is the initial trigger that begins in generating the wrong JIT'd code, and results in the livenass_pass1 handler removing the necessary, remaining components of the shl handler.

    0045849F 52                        push    edx
    004584A0 D3 A4 0C F5 E3 5C 85      shl     dword ptr [esp+ecx-7AA31C0Bh], cl
    004584A7 0F 83 80 60 13 00         jnb     loc_58E52D
    004584AD 87 AC 0C F9 E3 5C 85      xchg    ebp, [esp+ecx+4+var_7AA31C0B]
    004584B4 8B 8C 0C E1 E3 5C 85      mov     ecx, [esp+ecx+4+var_7AA31C23]
    004584BB 66 C1 64 24 20 CA         shl     word ptr [esp+4+arg_18], 0CAh
    004584C1 8B 54 24 20               mov     edx, [esp+4+arg_18]
    004584C5 0F 86 FE 10 10 00         jbe     loc_5595C9

    The resulting TranslationBlock is from the push up to the jnb. The shl is correctly lifted to its IR representation, including the hooks inserted via gen_jmp_im. All of this comes out of gen_shift_rm_T1. However, upon the liveness_pass1 optimization pass that eventually follows it, the necessary code is "optimized away", resulting in the incorrect JIT'd code, thus resulting into an incorrect interpretation of the flags for this instruction.

    image

    Here is the exact location where the hook that gets inserted starts the trouble:

    image

    The "fix" in our particular case, was simply removing this MEM_WRITE hook, which results in avoiding the gen_jmp_im being generated and acted upon, but this is a scary fix :) Will work on putting exact steps for repro, as this is part of a larger emulation we're doing, but I hope it can already begin pinpointing the exact root cause of the issue.

    Update

    Huge kudos to my colleague here w/ the necessary assist. The resulting code incorrectly generates the same issue w/ the wrong implementation of the shl instruction.

    [0x1968000053c]  : and         ebx,1Fh                    ; missing the sub_i64
    [0x1968000053f]  : shlx        r13,r13,rbx                ; missing the subsequent shlx
    [0x19680000544]  : mov         qword ptr [rbp+80h],1021h  ; jmp_hook no no no
    
    import unicorn
    import binascii
    from unicorn.x86_const import *
    #from capstone import *
    
    def code_hook(mu, access, address, size, value, user_data):
        return True
        
    uc = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_32)
    uc.hook_add(unicorn.UC_HOOK_MEM_READ | unicorn.UC_HOOK_MEM_WRITE, code_hook)
    
    uc.mem_map(0xFFFF0000, 0x2000)
    uc.reg_write(UC_X86_REG_ESP, 0xFFFF1000)
    uc.reg_write(UC_X86_REG_EBP, 0xFFFF1000)
    
    '''
    0x1000:  push    ecx
    0x1001:  mov     ecx, 0x1ea53211
    0x1006:  lea     ecx, [ecx + ecx*8 + 0x718e20eb]
    0x100d:  or      cl, 0xd0
    0x1010:  lea     ebp, [ebp + ecx - 0x5778699]
    0x1017:  not     ecx
    0x1019:  or      dword ptr [esp + ecx - 0x7aa31c0f], ecx
    0x1020:  push    edx
    0x1021:  shl     dword ptr [esp + ecx - 0x7aa31c0b], cl
    0x1028:  jae     0x136087
    0x102e:  ret
    '''
    code = binascii.unhexlify('51b91132a51e8d8cc9eb208e7180c9d08dac0d677988faf7d1098c0cf1e35c8552d3a40cf5e35c850f8380601300C3')
    addr = 0x1000
    
    uc.mem_map(0, 0x10000)
    uc.mem_write(addr, code)
    uc.emu_start(addr, addr + len(code), count=10)
    

    The x64 implementation also suffers from the same issue:

    import unicorn
    import binascii
    from unicorn.x86_const import *
    #from capstone import *
    
    def code_hook(mu, access, address, size, value, user_data):
        return True
        
    '''def debug_print(mu, address, size, user_data):
        md = Cs(CS_ARCH_X86, CS_MODE_64)
        temp = mu.mem_read(address, size)
        for (addr, size, mnemonic, op_str) in md.disasm_lite(temp, 1):
            print("0x%x:\t%s\t%s" %(address, mnemonic, op_str))'''
        
    uc = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_64)
    #uc.hook_add(unicorn.UC_HOOK_MEM_READ | unicorn.UC_HOOK_MEM_WRITE, code_hook) #jmp taken no output
    uc.hook_add(unicorn.UC_HOOK_MEM_READ | unicorn.UC_HOOK_MEM_WRITE, code_hook) #jmp not taken crashing resulting in different output:
    #  Traceback (most recent call last):
    #    File ".\stub_64.py", line 35, in <module>
    #      uc.emu_start(addr, addr + len(code), count=5)
    #    File "C:\Python38\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
    #      raise UcError(status)
    #  unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
    #uc.hook_add(unicorn.UC_HOOK_CODE, debug_print)
    
    uc.mem_map(0xFFFF0000, 0x2000)
    uc.reg_write(UC_X86_REG_RSP, 0xFFFF1000)
    uc.reg_write(UC_X86_REG_RBP, 0xFFFF1000)
    '''
    0x1000: movabs  rcx, 0xffffffffffffffff
    0x100a: mov     qword ptr [rsp], rcx
    0x100e: shl     qword ptr [rsp], cl
    0x1012: jae     0xd
    0x1014: ret
    '''
    code = binascii.unhexlify('48B9FFFFFFFFFFFFFFFF48890C2448D32424730AC3')
    addr = 0x1000
    
    uc.mem_map(0, 0x2000)
    uc.mem_write(addr, code)
    uc.emu_start(addr, addr + len(code), count=5)
    
    opened by trustednstaller 0
  • 'tcg fatal error' from QEMU when trying to emulate non-sense FF D8 opcode

    'tcg fatal error' from QEMU when trying to emulate non-sense FF D8 opcode

    Hi!

    One of our tools is using Unicorn for shellcode detection. While feeding it with arbitrary data, we noticed that QEMU used by Unicorn is crashing on FF D8 opcode. These bytes come from the beginning of JPEG magic (\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00)

    FF D8 is invalid instruction that is parsed as CALL FAR m16:32 with mod=3, rm=0 (CALL FAR rax?) and normally results in #UD.

    Is it expected to trigger tcg_abort on such non-sense code or is it indicator of a bug in QEMU?

    Output from debug build executed with UNICORN_DEBUG=1 under gdb:

    *** TCG before optimization:
     0:  ld_i32 tmp11,env,$0xfffffffffffffff0
     1:  movi_i32 tmp12,$0x0
     2:  brcond_i32 tmp11,tmp12,lt,$L0
    
     insn_idx=0 ---- 0000000000100000 0000000000000000
     1:  movi_i64 tmp3,$0x100000
     2:  st_i64 tmp3,env,$0x80
     3:  movi_i32 tmp11,$0x2
     4:  movi_i64 tmp13,$0x555555fcfe50
     5:  movi_i64 tmp14,$0x100000
     6:  movi_i32 tmp12,$0x2
     7:  call uc_tracecode,$0x0,$0,tmp11,tmp12,tmp13,tmp14
     8:  ld_i32 tmp11,env,$0xfffffffffffffff0
     9:  movi_i32 tmp12,$0x0
     10:  brcond_i32 tmp11,tmp12,lt,$L0
     11:  mov_i64 tmp0,rax
     12:  qemu_ld_i64 tmp1,tmp2,leul,2
     13:  ld_i32 tmp11,env,$0xfffffffffffffff0
     14:  movi_i32 tmp12,$0x0
     15:  brcond_i32 tmp11,tmp12,lt,$L0
     16:  movi_i64 tmp13,$0x4
     17:  add_i64 tmp2,tmp2,tmp13
     18:  qemu_ld_i64 tmp0,tmp2,leuw,2
     19:  ld_i32 tmp11,env,$0xfffffffffffffff0
     20:  movi_i32 tmp12,$0x0
     21:  brcond_i32 tmp11,tmp12,lt,$L0
     22:  mov_i32 tmp5,tmp0
     23:  movi_i64 tmp13,$0x100002
     24:  movi_i32 tmp11,$0x1
     25:  call lcall_protected,$0x0,$0,env,tmp5,tmp1,tmp11,tmp13
     26:  ld_i64 tmp7,env,$0x80
     27:  call lookup_tb_ptr,$0x6,$1,tmp14,env
     28:  goto_ptr tmp14
     29:  set_label $L0
     30:  exit_tb $0x7fffb2d42043
    
    *** TCG before codegen:
     0:  ld_i32 tmp11,env,$0xfffffffffffffff0
     1:  movi_i32 tmp12,$0x0
     2:  brcond_i32 tmp11,tmp12,lt,$L0  dead: 0 1
    
     insn_idx=0 ---- 0000000000100000 0000000000000000
     1:  movi_i64 tmp3,$0x100000
     2:  st_i64 tmp3,env,$0x80  dead: 0 1
     3:  movi_i32 tmp11,$0x2
     4:  movi_i64 tmp13,$0x555555fcfe50
     5:  movi_i64 tmp14,$0x100000
     6:  movi_i32 tmp12,$0x2
     7:  call uc_tracecode,$0x0,$0,tmp11,tmp12,tmp13,tmp14  dead: 0 1 2 3
     8:  ld_i32 tmp11,env,$0xfffffffffffffff0
     9:  movi_i32 tmp12,$0x0
     10:  brcond_i32 tmp11,tmp12,lt,$L0  dead: 0 1
     11:  qemu_ld_i64 tmp1,tmp2,leul,2
     12:  ld_i32 tmp11,env,$0xfffffffffffffff0
     13:  movi_i32 tmp12,$0x0
     14:  brcond_i32 tmp11,tmp12,lt,$L0  dead: 0 1
     15:  movi_i64 tmp13,$0x4
     16:  add_i64 tmp2,tmp2,tmp13  dead: 1 2
     17:  qemu_ld_i64 tmp0,tmp2,leuw,2  dead: 1
     18:  ld_i32 tmp11,env,$0xfffffffffffffff0
     19:  movi_i32 tmp12,$0x0
     20:  brcond_i32 tmp11,tmp12,lt,$L0  dead: 0 1
     21:  mov_i32 tmp5,tmp0  dead: 1
     22:  movi_i64 tmp13,$0x100002
     23:  movi_i32 tmp11,$0x1
     24:  call lcall_protected,$0x0,$0,env,tmp5,tmp1,tmp11,tmp13  dead: 0 1 2 3 4
     25:  call lookup_tb_ptr,$0x6,$1,tmp14,env  dead: 1
     26:  goto_ptr tmp14  dead: 0
     27:  set_label $L0
     28:  exit_tb $0x7fffb2d42043
    /home/psrok1/sflock/unicorn/qemu/tcg/tcg.c:3073: tcg fatal error
    
    Program received signal SIGABRT, Aborted.
    __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737350254592) at ./nptl/pthread_kill.c:44
    44	./nptl/pthread_kill.c: No such file or directory.
    (gdb) bt
    #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737350254592) at ./nptl/pthread_kill.c:44
    #1  __pthread_kill_internal (signo=6, threadid=140737350254592) at ./nptl/pthread_kill.c:78
    #2  __GI___pthread_kill (threadid=140737350254592, [email protected]=6) at ./nptl/pthread_kill.c:89
    #3  0x00007ffff7c8f476 in __GI_raise ([email protected]=6) at ../sysdeps/posix/raise.c:26
    #4  0x00007ffff7c757f3 in __GI_abort () at ./stdlib/abort.c:79
    #5  0x00007ffff40aec66 in temp_load (s=0x55555606bda0, ts=0x55555606c978, desired_regs=65343, allocated_regs=48, preferred_regs=0) at /home/psrok1/sflock/unicorn/qemu/tcg/tcg.c:3073
    #6  0x00007ffff40afa85 in tcg_reg_alloc_op (s=0x55555606bda0, op=0x555555ff9780) at /home/psrok1/sflock/unicorn/qemu/tcg/tcg.c:3455
    #7  0x00007ffff40b0ae2 in tcg_gen_code_x86_64 (s=0x55555606bda0, tb=0x7fffb2d42040) at /home/psrok1/sflock/unicorn/qemu/tcg/tcg.c:3834
    #8  0x00007ffff40dabb3 in tb_gen_code_x86_64 (cpu=0x5555560ae7a0, pc=1048576, cs_base=0, flags=4243632, cflags=-16777216) at /home/psrok1/sflock/unicorn/qemu/accel/tcg/translate-all.c:1648
    #9  0x00007ffff40c3b12 in tb_find (cpu=0x5555560ae7a0, last_tb=0x0, tb_exit=0, cf_mask=0) at /home/psrok1/sflock/unicorn/qemu/accel/tcg/cpu-exec.c:256
    #10 0x00007ffff40c4406 in cpu_exec_x86_64 (uc=0x555555fcfe50, cpu=0x5555560ae7a0) at /home/psrok1/sflock/unicorn/qemu/accel/tcg/cpu-exec.c:597
    #11 0x00007ffff4086873 in tcg_cpu_exec (uc=0x555555fcfe50) at /home/psrok1/sflock/unicorn/qemu/softmmu/cpus.c:96
    #12 0x00007ffff4086b2c in resume_all_vcpus_x86_64 (uc=0x555555fcfe50) at /home/psrok1/sflock/unicorn/qemu/softmmu/cpus.c:215
    #13 0x00007ffff4086bc7 in vm_start_x86_64 (uc=0x555555fcfe50) at /home/psrok1/sflock/unicorn/qemu/softmmu/cpus.c:234
    #14 0x00007ffff4072f93 in uc_emu_start (uc=0x555555fcfe50, begin=1048576, until=1048578, timeout=0, count=1048576) at /home/psrok1/sflock/unicorn/uc.c:870
    

    We can see that our instruction was interpreted as far call: 24: call lcall_protected,$0x0,$0,env,tmp5,tmp1,tmp11,tmp13 dead: 0 1 2 3 4

    opened by psrok1 0
  • Fix big endian issues

    Fix big endian issues

    This PR fixes a few test failures if the host architecture is Big Endian:

    • On BE architectures, truncating an integer type will change its value, because the lower bits will be cut off, not the higher ones. Most notably, the program counter in uc_emu_start will end up zeroed. Luckily, the existing set_pc function handles all corner cases correctly.
    • Reading guest memory leaks the endianness to the host, so if the host has a different endianness, this needs to be compensated for. I added a bunch of cpu_to_le and le_to_cpu functions (which are no-ops on LE hosts) for this.
    opened by roehling 3
  • Is it possible to compile Unicorn Engine for a wasm target

    Is it possible to compile Unicorn Engine for a wasm target

    Would it be possible to use Unicorn Engine in a wasm environment, specifically with the Rust bindings? Compiling the Rust bindings with --target wasm32-unknown-unknown doesn't seem to work as gcc complains about not supporting the target.

    enhancement 
    opened by rmccrystal 2
Releases(2.0.0)
  • 2.0.0(Jul 7, 2022)

    Features:

    • TriCore Support (#1568)

    Fixes/Improvements:

    • Build both shared library and static archive as unicorn1 does.
    • Misc bindings improvements. #1569 #1600 #1609 #1613 #1616
    • Make sure setjmp-setjmp-wrapper-win32 participates in the build. #1604
    • Improve Rust bindings build logic.
    • Fix wrong python binding for UC_CTL_TB_REMOVE_CACHE
    • Flush translation blocks when the count hook is removed.
    • Fix unicorn crash when nested uc_emu_start deletes a hook
    • Fix CPU not fully resumed when writing PC.
    • Don't quit TB if uc_mem_protect doesn't change the protection of current TB memory.
    • Add type annotations for python bindings.
    • Add CPUID hook for python bindings. #1618
    • Don't repeat memory hooks if there is already an unhandled error. #1618
    • Support reads and writes over all Arm SIMD registers #1621
    • Fix wrong registers range in python bindings.
    • Fix uc_mem_protect on mmio regions
    • Fix a UAF caused by hook cache.
    • Fix the value collision between UC_MODE_ARMBE8 and UC_MODE_ARM926

    Thanks:

    @AfoHT @mrexodia @bet4it @lowlyw @ekilmer @ondryaso @QDucasse @PalumboN @uberwoozle

    Source code(tar.gz)
    Source code(zip)
  • 2.0.0-rc7(Apr 17, 2022)

    This release is expected to be the real last RC release of Unicorn2. ;)

    Features:

    • Correctly generate static archives for the static build and have CI auto-tested.
    • Rust bindings revised. #1584
    • Compatible with clang-cl compiler. #1581
    • Implement UC_HOOK_INSN for aarch64 MRS/MSR/SYS/SYSL

    Fixes/Improvements:

    • Several corner cases on our API. #1587 #1595
    • Fix the codegen buffer leak.
    • Rust bindins improvements. #1574 #1575
    • Add "holes" to allow unicorn lib as a drop-in replacement for older ones. #1572
    • s390x backports. #1570
    • Fix exits wrongly removed in nested uc_emu_start
    • Fix a possible endless loop for only one translation block in a multithreaded environment.
    • Fix wrong PC without UC_HOOK_CODE installed.
    • Update vb6 bindings license. #1563
    • Fix buffer allocation failure on M1. #1559
    • Fix wrong EFLAGS on startup.
    • Fix wrong internal states on nested uc_emu_start.
    • Remove armeb-softmmu and aarcheb-softmmu which are usermode targets.
    • Advance PPC32 PC. #1558
    • Support UC_PPC_REG_CR.
    • Update CI to windows-2019

    Thanks:

    @shuffle2 @liyansong2018 @rose4096 @nviennot @n1tram1 @iii-i @dzzie @yrashk @bet4it

    Source code(tar.gz)
    Source code(zip)
  • 2.0.0-rc6(Feb 13, 2022)

    This release is expected to be the last RC release of Unicorn2.

    Features:

    • SystemZ (aka. s390x) support. #1521 #1547
    • CPUID hook now may return a bool to indicate whether skipping the CPUID instruction.
    • ARM/AARCH64 coprocessor registers read/write support. #889

    Fixes/Improvements:

    • Rust improvements. More registers enums #1504 Easier to use #1543 #1545
    • M68k improvements. #1507
    • Golang improvements. Enable uc_ctl_set_model #1506
    • Unit tests improvements. #1512
    • Various ARM system mode fixes. #1500 #1520 #1525 #1531
    • Read/write arm FPSCR and FPSID. #1453
    • Fix the support for ARMv8
    • Fix a large number of memory leaks and unicorn2 now goes with google/oss-fuzz!
    • Add more X87 registers. #1524
    • Add more PPC registers.
    • Fix the exception not cleared in python bindings. #1537
    • Correctly support ARM big endian and drops armeb-softmmu and aarch64eb-softmmu
    • Fix ARM CPSR.E not reflected during runtime.
    • Resolve fuzzing speed problem on macOS.
    • Modernize CmakeFileLists.txt. #1544
    • Fix an issue in nested uc_emu_start

    Thanks:

    @Kritzefitz @zznop @QDucasse @gerph @bet4it @mrexodia @iii-i @jbcayrou @scribam

    Source code(tar.gz)
    Source code(zip)
  • 2.0.0-rc5(Nov 25, 2021)

    This release fixes a few urgent bugs and improves performance.

    Fixes/Improvements:

    • Rust bindings improvements. #1480 #1483
    • Allow R/W to cp15 registers. #1481
    • Fix UC_HOOK_EDGE_GENERATED not calling for indirect jumps.
    • Python bindings build improvements. #1486
    • Fix bindings on m1 macOS.
    • Support nested uc_emu_start calls without context save/restore
    • Fix wrong MMIO offset for 32bit targets.
    • Fix wrong uc_mem_unmap logic for both ram and mmio memory.
    • Inline uc_trace_code and PC sync to improve performance.
    • Various fixes in tests.
    • Allow writing to CPSR to switch bank registers.
    • Implement MMIO in rust bindings. #1499

    Thanks:

    • @domenukk
    • @bet4it
    • @mid-kid
    • @Kritzefitz
    Source code(tar.gz)
    Source code(zip)
  • 2.0.0-rc4(Nov 8, 2021)

    This is a big release of Unicorn and introduces a few powerful new features and a bunch of fixes.

    New Features:

    • New API: uc_ctl, by which you could control CPU models, TB caches or multiple exits etc.
    • New Hook: UC_HOOK_EDGE_GENERATED, UC_HOOK_TCG_OPCODE
    • RISCV CSR read/write.
    • Support reading MIPS hi/lo regs. 7268c2a19bce2db72b90e3ea3b133482c3ff4e58
    • OSS Fuzzing building support.
    • MSVC 32bit and Android build support.
    • Introduce clang-format.

    Fixes/Improvements:

    • Java bindings improvements. unicorn-engine/unicorn#1461
    • API Documents updates. unicorn-engine/unicorn#1459
    • Rust bindings improvements. unicorn-engine/unicorn#1462
    • Add a go.mod for go bindings.
    • CMakeLists.txt improvements as a subproject. #1373
    • Fix rust bindings build script and add CI.
    • Use binary search to find mappings. unicorn-engine/unicorn#1414
    • RISCV:
      • Update pc when exiting execution. unicorn-engine/unicorn#1465
      • Add RISCV control status registers to enable floating. unicorn-engine/unicorn#1469 unicorn-engine/unicorn#1478
      • After ecall, pc not advanced. unicorn-engine/unicorn#1477
    • Fix tb not invalidated when exiting.
    • Fix bindings makefile.
    • Fix uc_mem_protect not working. unicorn-engine/unicorn#1468

    Thanks:

    • @bet4it
    • @kabeor
    • @chfl4gs
    • @QDucasse
    • @h33p
    • @geohot
    • @cla7aye15I4nd
    • @jcalabres
    Source code(tar.gz)
    Source code(zip)
  • 2.0.0-rc3(Oct 6, 2021)

    This is an urgent pre-release regarding python bindings on older Linux systems.

    • Support older Linux distribution, e.g. prior to Ubuntu 19.04
    • Fix a memory leak in uc_close
    • Support building on Android
    • Support hooking CPUID instruction.

    Enjoy.

    Source code(tar.gz)
    Source code(zip)
  • 2.0.0-rc2(Oct 5, 2021)

    This is an urgent pre-release regarding the packaging problem of python bindings.

    • Set zip_false and is_pure to False to avoid issues on some Linux distributions.
    • Link to libm to make sure our libraries work.
    • Support to read ST registers in rust bindings.
    • Fix #1450

    Enjoy.

    Source code(tar.gz)
    Source code(zip)
  • 2.0.0-rc1(Oct 4, 2021)

    Unicorn2 first release candidate!

    • Based on Qemu 5.0.1
    • Remain backward compatible with Unicorn 1.x
    • Update ISA of all existing architectures
    • Support 2 new architectures in PowerPC & RISCV
    Source code(tar.gz)
    Source code(zip)
  • 1.0.3(May 26, 2021)

    • Fix some building issues

      • Fix build with LLVM on Powerpc64(le)
      • cmake: enable UNICORN_HAS_ARMEB when ARM is on
      • Better support MingW building
      • Better support FreeBSD host
        • Better support VS2008/VS2010
    • Fix some issues in the core

      • Fix wrong sync after UC_ERR_[READ, WRITE, FETCH]_[UNMAPPED, PROT]
      • Support querying architecture mode besides arm
      • Fix pausing within Thumb2 ITE blocks
    • Arm:

      • Support Arm BE8 mode
    • X86:

      • Fix FPIP & FTST instructions
    • Bindings:

      • Java: remove deprecated javah and build with javac
      • Python: handle exceptions raised in hook functions
      • Rust binding
    Source code(tar.gz)
    Source code(zip)
  • 1.0.2(Oct 21, 2020)

  • 1.0.2-rc6(Sep 24, 2020)

  • 1.0.2-rc5(Sep 21, 2020)

    • Add cmake option to build Unicorn as a static library
    • Fix error handling of mmap()
    • uc_emu_start() can be reentrant
    • Fix naming conflicts when built with systemd
    • Fix setjmp/longjmp on native Windows
    • Fix enabled hooks even after deleting them
    • X86:
      • Fix 64bit fstenv
      • Fix IP value of 16bit mode
    • ARM:
      • Fix APSR handling
    • Python: Remove UC_ERR_TIMEOUT
    Source code(tar.gz)
    Source code(zip)
  • 1.0.2-rc4(May 29, 2020)

    This version fixes some issues and improves over v1.0.2-rc3.

    • No longer require Python to build
    • Fix recursive UC_HOOK_MEM callbacks for cross pages access
    • Remove UC_ERR_TIMEOUT, so timeout on uc_emu_start() is not considered error
    • Added UC_QUERY_TIMEOUT to query exit reason
    • Fix UAF when deleting hook while in hook callback
    • Ensure that hooks are unaffected by a request to stop emulation.
    • Fix block hooks being called twice after an early exit from execution.
    • Fix binding install on python2 (MacOS)
    • X86:
      • Support read/write STn registers
      • Support read/write X64 base regs
    • ARM64:
      • Support some new registers
    Source code(tar.gz)
    Source code(zip)
  • 1.0.2-rc3(Apr 8, 2020)

  • 1.0.2-rc2(Feb 15, 2020)

  • 1.0.2-rc1(Oct 8, 2019)

  • 1.0.1(Apr 20, 2017)

    Stable release with some important bugfixes & new features for several architectures.

    • Properly handle build with selected-architectures.
    • Fix compilation issues on PPC & S390x.
    • Fix a memory leak on uc_mem_protect().
    • ARM:
      • Support big-endian mode.
      • Correct instruction size of Thumb/Thumb2 code.
      • Support read/write APSR register.
    • ARM64:
      • Support read/write NEON registers.
      • Support read/write NZCV registers.
    • Mips: Support read/write Mips64 registers.
    • X86: Support read/write MSR.
    • Haskell binding: update to the latest API.
    • Python: allow not having PATH setup.
    Source code(tar.gz)
    Source code(zip)
    unicorn-1.0.1-python-win32.msi(7.62 MB)
    unicorn-1.0.1-python-win64.msi(7.60 MB)
    unicorn-1.0.1-win32.zip(16.63 MB)
    unicorn-1.0.1-win64.zip(17.00 MB)
  • 1.0(Feb 23, 2017)

  • 1.0-rc3(Jan 25, 2017)

    Release Candidate 3 of Unicorn Engine 1.0

    Important changes since v1.0-RC2:

    • Core: rename API uc_context_free() to uc_free().
    • ARM:
      • uc_reg_write() now can modify CPSR register.
      • Add some ARM coproc registers.
    • ARM64: uc_reg_read|write() now handles W0-W31 registers.
    • Windows: fix a double free bug in uc_close().
    • New VB6 binding.
    • Java: update to support new APIs from v1.0-rc1.
    • Python:
      • Fix memory leaking that prevents UC instances from being GC.
      • Remove some dependencies leftover from glib time.
      • Add new method mem_regions() (linked to uc_mem_regions() API)
    Source code(tar.gz)
    Source code(zip)
    unicorn-1.0-rc3-win32.zip(15.05 MB)
    unicorn-1.0-rc3-win64.zip(15.38 MB)
  • 1.0-rc2(Jan 4, 2017)

  • 1.0-rc1(Dec 22, 2016)

    Release Candidate 1 of Unicorn Engine version 1.0

    Important changes:

    • Lots of bugfixes in all architectures.
    • Better support for ARM Thumb.
    • Fix many memory leaking issues.
    • New bindings: Haskell, MSVC.
    • Better support for Python3.
    • New APIs: uc_query, uc_reg_write_batch, uc_reg_read_batch, uc_mem_map_ptr, uc_mem_regions, uc_context_alloc, uc_context_save & uc_context_restore.
    • New memory hook type: UC_HOOK_MEM_READ_AFTER.
    • Add new version macros UC_VERSION_{MAJOR, MINOR, EXTRA}
    Source code(tar.gz)
    Source code(zip)
    unicorn-1.0-rc1-win32.zip(18.50 MB)
    unicorn-1.0-rc1-win64.zip(18.82 MB)
Owner
Unicorn Engine
Multi-arch multi-platform CPU emulator framework
Unicorn Engine
PHP Encoder, protect PHP scripts in PHP 8 and PHP 7, High Performance, Compitable with X86_64, MIPS, ARM platform and Ubuntu/Centos/OpenWRT system.

What's FRICC2? FRICC2 is a PHP Script encryption tool. When you are developing a commercial software using PHP, the script can be distributed as encry

Hoowa Sun 37 Oct 2, 2022
kianv a simple implementation of a rv32im riscv cpu and soc in verilog with firmware that runs raytracer, mandelbrot, etc.....

A very simple riscv cpu/soc one single file implementation created in my spare time! But it is full rv32im CPU :) I have wrote all from scratch to lea

splinedrive 81 Sep 19, 2022
Elven relativism -- relocation and execution of aarch64 ELF relocatable objects (REL)

elvenrel Elven Relativism -- relocation and execution of aarch64 ELF relocatable objects (REL) on Linux and macOS. Program loads a multitude of ELF RE

Martin Krastev 14 Aug 17, 2022
xv6 port to aarch64 virt board

xv6 is a re-implementation of Dennis Ritchie's and Ken Thompson's Unix Version 6 (v6). xv6 loosely follows the structure and style of v6, but is impl

mkei 6 Sep 20, 2022
An experimental operating system for x86 and ARM

Odyssey - an experimental operating system for x86 and ARM

Anuradha Weeraman 36 Sep 25, 2022
A port of the Linux x86 IOLI crackme challenges to x86-64

This is a port of the original Linux x86 IOLI crackme binaries to x86-64. The original set of IOLI crackmes can be found here: https://github.com/Maij

Julian Daeumer 4 Mar 19, 2022
repo to house various LLVM based SIHFT passes for RISCV 32/64 soft error resilience

compas-ft-riscv COMPAS: Compiler-assisted Software-implemented Hardware Fault Tolerance implemented in LLVM passes for the RISC-V backend Repo to hous

EDA@TUM 2 Jan 10, 2022
a small C library for x86 CPU detection and feature extraction

libcpuid libcpuid provides CPU identification for the x86 (and x86_64). For details about the programming API, you might want to take a look at the pr

Veselin Georgiev 340 Sep 26, 2022
MINCE is an Emacs-like text editor from Mark of the Unicorn, Inc.

MINCE Is Not Complete[ly] EMACS Overview MINCE is an Emacs-like text editor from Mark of the Unicorn, Inc. Versions were available for many oper

Jeffrey H. Johnson 20 Jul 18, 2022
IDA Debugger Module to Dynamically Synchronize Memory and Registers with third-party Backends (Tenet, Unicorn, GDB, etc.)

IDA Debug Bridge IDA Debugger Module to Dynamically Synchronize Memory and Registers with third-party Backends (Tenet, Unicorn, GDB, etc.) By synchron

null 9 Sep 5, 2022
Qnicorn: a cutting edge version of unicorn-engine.org

Qnicorn Engine Qnicorn is a cutting edge and community-driven version of unicorn-engine. Qnicorn offers the features below: All features that Unicorn2

qiling.io 4 Sep 10, 2022
x86 emulator on Raspberry Pi Pico

picox86 x86 emulator on Raspberry Pi Pico https://user-images.githubusercontent.com/10139098/110543817-13299080-812b-11eb-9c88-674cdae919fc.mp4 PCB fr

null 37 Aug 30, 2022
x86 emulator written in C++

X86_EMULATOR_2 Build make Run ./x86 -i haribote.img Language and Library C++11, SDL2.0 How to use mouse on x86 emulator Grab mouse on x86 emulator cli

Niwaka 23 Sep 21, 2022
TinyE8 - Ben Eater's 8 Bit CPU Emulator

TinyE8 - Ben Eater's 8 Bit CPU Emulator TinyE8 emulates Ben Eater's 8 bit breadboard CPU. Implemented all the Instructions except JC and JZ, I need to

null 67 Sep 14, 2022
A place to collaborate on code for the Embedded.fm book club. Currently reading "STM32 ARM Programming for Embedded Systems".

Welcome to the Book Club Code site! This is a place for the Embedded.fm book club to collaborate and learn together. Repo Structure Guide Top-level fo

Peter Griffin 11 Jul 21, 2022
A lightweight ARM reverse engineering tool.

eydis A lightweight (basic and slow) ARM reverse engineering tool. I. Requierements macOS/Linux, Basics compiling tools, The SQLite3 + readline framew

Yui Aioi 18 Aug 15, 2022
Prometheus exporter for ARM® Hardware components using HWCPipe.

ARM® HWCPipe Exporter ARM® HWCPipe Exporter is a Prometheus exporter written in Java and C++ that retrieves metrics from Android devices running on AR

Jinesi Yelizati 3 Mar 18, 2022
ARM DevSummit workshop with Portenta H7

ARM DevSummit 2021 - Edge Impulse Portenta workshop Edge Impulse enables developers to create the next generation of intelligent device solutions with

Edge Impulse 8 Oct 19, 2021
Dummy-Robot my super mini robot arm robot items

Dummy-Robot 我的超迷你机械臂机器人项目。 资料待整理 已添加3D模型设计源文件。 已添加夹爪硬件设计文件和LED灯环PCB 已添加无线空间定位控制器PCB文件 已添加无线示教器Peak软硬件工程(作为submodule) 已添加REF的硬件设计文件 已添加DummyStudio上位机 已

稚晖 8.4k Oct 3, 2022