In Intel IMUL opcode described in one method using different descriptions:

• 6B / r ib IMUL r32, imm8 doubleword register = doubleword register * sign-extended immediate byte
• imul Gv, Ev, I
• OPC_IMUL_GvEvIb
• imul eax, [ecx+0x41], 0x10
• 6b414110 imul eax,DWORD PTR [ecx+0x41],0x10

When encountering an IMUL opcode of i386 architecture, specifically when using with an immediate 8-bit multiplier, the emulator engine does not properly multiply the number 0x5151494a by 0x10 and get the expected 0x151494a0 result.

Interesting thing, is that a standalone IMUL instruction works, but this stack-based AlphaMixed code snippet (derived from Metasploit) failed.

Will submit working proof-of-failure code soon.

I've been battling with running the python bindings on python 3.5.

I keep getting a ImportError: ERROR: fail to load the dynamic library. however I have checked that all libraries are present in .\unicorn\lib

    Directory: C:\Python\Lib\site-packages\unicorn\lib


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       2016/09/24   7:23 PM         122036 libgcc_s_dw2-1.dll
-a----       2016/09/24   3:17 PM          83742 libgcc_s_seh-1.dll
-a----       2016/10/13   7:02 PM        1124259 libglib-2.0-0.dll
-a----       2015/06/29   1:25 PM        1050543 libiconv-2.dll
-a----       2016/03/31   8:50 AM         132717 libintl-8.dll
-a----       2016/10/09   5:46 PM          56978 libwinpthread-1.dll
-a----       2016/10/31   9:10 PM       26335738 unicorn.dll

The library does load the directories correctly

[-] path: 'C:\Python\lib\site-packages\unicorn\lib'
        [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libwinpthread-1.dll
        [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libgcc_s_seh-1.dll
        [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libgcc_s_dw2-1.dll
[-] path: 'C:\Python\lib\site-packages\unicorn\lib'
        [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libwinpthread-1.dll
        [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libgcc_s_seh-1.dll
        [+] lib_file: C:\Python\lib\site-packages\unicorn\lib\libgcc_s_dw2-1.dll
[-] path: ''
        [+] lib_file: libwinpthread-1.dll
        [+] lib_file: libgcc_s_seh-1.dll
        [+] lib_file: libgcc_s_dw2-1.dll
        [+] lib_file: libiconv-2.dll
        [+] lib_file: libintl-8.dll
        [+] lib_file: libglib-2.0-0.dll
[-] path: 'C:\Python\Lib\site-packages'
        [+] lib_file: C:\Python\Lib\site-packages\libwinpthread-1.dll
        [+] lib_file: C:\Python\Lib\site-packages\libgcc_s_seh-1.dll
        [+] lib_file: C:\Python\Lib\site-packages\libgcc_s_dw2-1.dll
        [+] lib_file: C:\Python\Lib\site-packages\libiconv-2.dll
        [+] lib_file: C:\Python\Lib\site-packages\libintl-8.dll
        [+] lib_file: C:\Python\Lib\site-packages\libglib-2.0-0.dll
[-] path: 'C:\Python\Lib\site-packages\unicorn\lib'
        [+] lib_file: C:\Python\Lib\site-packages\unicorn\lib\libwinpthread-1.dll
        [+] lib_file: C:\Python\Lib\site-packages\unicorn\lib\libgcc_s_seh-1.dll
        [+] lib_file: C:\Python\Lib\site-packages\unicorn\lib\libgcc_s_dw2-1.dll
[-] path: '/usr/lib64'
        [+] lib_file: /usr/lib64\libwinpthread-1.dll
        [+] lib_file: /usr/lib64\libgcc_s_seh-1.dll
        [+] lib_file: /usr/lib64\libgcc_s_dw2-1.dll
        [+] lib_file: /usr/lib64\libiconv-2.dll
        [+] lib_file: /usr/lib64\libintl-8.dll
        [+] lib_file: /usr/lib64\libglib-2.0-0.dll
Traceback (most recent call last):
  File "shellcode.py", line 5, in <module>
    from unicorn import *
  File "C:\Python\lib\site-packages\unicorn\__init__.py", line 4, in <module>
    from .unicorn import Uc, uc_version, uc_arch_supported, version_bind, debug, UcError, __version__
  File "C:\Python\lib\site-packages\unicorn\unicorn.py", line 75, in <module>
    raise ImportError("ERROR: fail to load the dynamic library.")
ImportError: ERROR: fail to load the dynamic library.

Note: the extra path was a hard-coded one for debugging.

I have no idea what the issue is here. You can see the hap-hazard file loading from a little debug print() I did :/

Its also worth noting that I have attempt the "official" 0.9 release from the website as well as my own build. Same issue regardless.

attention: @sashs, @enkomio, @adrianherrera, @cseagle, @xorstream, @lunixbochs.

recently we have new APIs uc_context_save() & uc_context_restore(). at the moment, only Python binding supports these API.

thus we need to update other bindings: .Net, Go, Haskell, Java, msvc & ruby.

thanks!

Moved to Unicorn 2 for M1 support. Getting this ~50% of the time

MIPS CPU, with Go bindings if it matters. Perhaps someone has an idea.

Process 34232 stopped
* thread #10, stop reason = EXC_BAD_ACCESS (code=2, address=0x280000098)
    frame #0: 0x0000000101040a14 libunicorn.2.dylib`tb_gen_code_mips + 304
libunicorn.2.dylib`tb_gen_code_mips:
->  0x101040a14 <+304>: str    x8, [x9, #0x18]
    0x101040a18 <+308>: ldur   w8, [x29, #-0x14]
    0x101040a1c <+312>: ldur   x9, [x29, #-0x38]
    0x101040a20 <+316>: str    w8, [x9]
Target 0: (mipsevm.test) stopped.
(lldb) bt
* thread #10, stop reason = EXC_BAD_ACCESS (code=2, address=0x280000098)
  * frame #0: 0x0000000101040a14 libunicorn.2.dylib`tb_gen_code_mips + 304
    frame #1: 0x000000010102b74c libunicorn.2.dylib`tb_find + 92
    frame #2: 0x000000010102b1b0 libunicorn.2.dylib`cpu_exec_mips + 244
    frame #3: 0x0000000100fd8ce0 libunicorn.2.dylib`tcg_cpu_exec + 76
    frame #4: 0x0000000100fd8c0c libunicorn.2.dylib`resume_all_vcpus_mips + 96
    frame #5: 0x0000000100fd8dfc libunicorn.2.dylib`vm_start_mips + 24
    frame #6: 0x0000000100fc676c libunicorn.2.dylib`uc_emu_start + 352
    frame #7: 0x00000001002f7f04 mipsevm.test`_cgo_81152a5834e5_Cfunc_uc_emu_start + 44

Speed isn't that important to me, is there any way to disable threading?

Add ability to mark memory area read only. Add new API uc_mem_map_ex to allow permissions to be passed. Change MemoryBlock to track created MemoryRegions. Add regress/ro_mem_test.c

This also solves the memory leak issue on uc->ram because now all MemoryRegion allocations are tracked in the uc->mapped_blocks array.

Added glib compatible replacements for all glib functions used in unicorn. Removed glib dependencies in Makefiles. I threw the list and hash table implementations together and have paid no attention to their performance. Feel free to replace the hash table implementation with something that performs better. Need help testing. All samples and unit tests run with same results as master on the following platforms: win32 (using mingw), OS X 64, Linux 32, Linux 64. Have not done much testing beyond that.

This is a feature that is required for UC integration in angr. We need to be able to efficiently roll back the state at a whim when we encounter symbolic data that cannot be processed by unicorn.

Originally, our internal code was just including the appropriate private header files and performing this operation manually, but as we're gearing up for distribution, this won't do. So, new feature!

I've done nothing but the bare minimum to demonstrate that it works and is useful since I don't know if this is a feature you'd appreciate having.

Hi,

I was wondering what would it take to support IBM Z in unicorn-engine? QEMU 2.1.2 seems to have sufficient support for it, so I assume the main missing things are these?

• UC_* defines
• machine definition
• hooks
• build system support

Also, based on https://github.com/unicorn-engine/unicorn/issues/1438, do I get it right that such contribution would have to wait until unicorn 2 is out, or would it make sense to also do this for 1.x?

Best regards, Ilya

osx in Travis has brew available without sudo, easy to install cmocka

For linux and appveyor, I created a small script to download and compile cmocka.

Unit test test_tb_x86_64_32_imul_Gv_Ev_Ib now failing on all platforms

TODO: see if clang works in cygwin for builds, currently following up with cmocka

What about changing the tests/unit to pass and adding it to the build process? Maybe bindings too?

I've made only few tests so far: basic arithmetic, and strlen(). No stack-related tests, no tests for resource leaks on multiple runs, no tests for hooks. Also it is limited to e500v2 and built only in ubuntu/amd64/gcc environment. So this is surely work in progress. However the changes to the common part of unicorn are few and easy to review and most likely they are not going to introduce any problem with non-ppc platforms. So if you accept the changes you are going to have an otherwise stable engine with experimental unstable ppc support.

i wanted to straightly upgrade to Qemu 2.5, but there is a lot of code changed from Qemu 2.2.1, which Unicorn is based on.

therefore, i will break this down in few phases to make it more manageable, and also easier to track bugs introduced by this task:

• upgrade to 2.3.1
• upgrade to 2.4.1
• upgrade to 2.5

expect more update on this work later.

Hello everyone!

uc_mem_map allocates a VA section into which Unicorn patches as the code passes, now I need to get pointers to these sections in order to write them to my .exe. Through uc_mem_regions(); I get the same VA each time and the number of blocks that does not match the allocated uc_mem_map, as well as the size that also does not match the allocated size.. well, I can't write down the data that UNICORN patched, respectively, since I can't get pointers to this whole thing

I get this from uc_mem_regions() https://ibb.co/tLY8zVh Instead of the necessary pointers

How can I get a pointer to the memory that uc_mem_map allocated?

SIZE\ADDRESSES

#define ASectionSdataDenuvo 0x140001000
#define ASectionArchDenuvo 0x141C97000
#define ASectionBssDenuvo 0x142AC5000
#define ASectionPdataDenuvo 0x142D56000
#define ASectionTraceDenuvo 0x142E78000
#define ASectionTlsDenuvo 0x142E7A000
#define ASectionSrdataDenuvo 0x15B220000
#define ASectionEdataDenuvo 0x15B276000
#define ASectionIdataDenuvo 0x15B282000
#define ASectionXtextDenuvo 0x15B283000
#define ASectionXtlsDenuvo 0x15B284000
#define ASectionTextDenuvo 0x15B285000
#define ASectionCodeDenuvo 0x15B28D000

int64_t ADDRESS_TEXT_SECTION_NTDLL, ADDRESS_TEXT_SECTION_MSVCRT;

uint64_t SIZE_Section_Sdata_Denuvo = 0x1C96000;
uint64_t SIZE_Section_Arch_Denuvo = 0xE2E000;
uint64_t SIZE_Section_Bss_Denuvo = 0x291000;
uint64_t SIZE_Section_Pdata_Denuvo = 0x122000;
uint64_t SIZE_Section_Trace_Denuvo = 0x2000;
uint64_t SIZE_Section_Tls_Denuvo = 0x183A6000;
uint64_t SIZE_Section_Srdata_Denuvo = 0x56000;
uint64_t SIZE_Section_Edata_Denuvo = 0xC000;
uint64_t SIZE_Section_Idata_Denuvo = 0x1000;
uint64_t SIZE_Section_Xtext_Denuvo = 0x1000;
uint64_t SIZE_Section_Xtls_Denuvo = 0x1000;
uint64_t SIZE_Section_Text_Denuvo = 0x8000;
uint64_t SIZE_Section_Code_Denuvo = 0x1B000;

uint64_t SIZE_Section_Text_Ntdll = 0x119000;
uint64_t SIZE_Section_Text_Msvcrt = 0x75000;

uc_mem_map I have such a quantity and it does not correspond to 11 blocks in any way

0) uc_mem_map(uc, STACK_ADDRESS, SIZE_OF_STACK, UC_PROT_ALL);

1) uc_mem_map(uc, ASectionSdataDenuvo, SIZE_Section_Sdata_Denuvo, UC_PROT_ALL);
2) uc_mem_map(uc, ASectionArchDenuvo, SIZE_Section_Arch_Denuvo, UC_PROT_ALL);
3) uc_mem_map(uc, ASectionBssDenuvo, SIZE_Section_Bss_Denuvo, UC_PROT_ALL);
4) uc_mem_map(uc, ASectionPdataDenuvo, SIZE_Section_Pdata_Denuvo, UC_PROT_ALL);
5) uc_mem_map(uc, ASectionTraceDenuvo, SIZE_Section_Trace_Denuvo, UC_PROT_ALL);
6) uc_mem_map(uc, ASectionTlsDenuvo, SIZE_Section_Tls_Denuvo, UC_PROT_ALL);
7) uc_mem_map(uc, ASectionSrdataDenuvo, SIZE_Section_Srdata_Denuvo, UC_PROT_ALL);
8) uc_mem_map(uc, ASectionEdataDenuvo, SIZE_Section_Edata_Denuvo, UC_PROT_ALL);
9) uc_mem_map(uc, ASectionIdataDenuvo, SIZE_Section_Idata_Denuvo, UC_PROT_ALL);
10) uc_mem_map(uc, ASectionXtextDenuvo, SIZE_Section_Xtext_Denuvo, UC_PROT_ALL);
11) uc_mem_map(uc, ASectionXtlsDenuvo, SIZE_Section_Xtls_Denuvo, UC_PROT_ALL);
12) uc_mem_map(uc, ASectionTextDenuvo, SIZE_Section_Text_Denuvo, UC_PROT_ALL);
13) uc_mem_map(uc, ASectionCodeDenuvo, SIZE_Section_Code_Denuvo, UC_PROT_ALL);

14) uc_mem_map(uc, ADDRESS_TEXT_SECTION_NTDLL, SIZE_Section_Text_Ntdll, UC_PROT_ALL);
15) uc_mem_map(uc, ADDRESS_TEXT_SECTION_MSVCRT, SIZE_Section_Text_Msvcrt, UC_PROT_ALL);

16) uc_mem_map(uc, GS_BASE_ADDRESS, SIZE_OF_GDT_BASE, UC_PROT_ALL);

implementation of uc_mem_regions();

if (address == 0x156265A75)
    {
        uc_err err;
        uc_mem_region* region;
        uint32_t count;

        if ((err = uc_mem_regions(uc, &region, &count))) {
            std::cout << "Failed on uc_mem_regions() with error returned %u: %s" << err << uc_strerror(err) << endl;
        }

        cout << "Starting address: 0x" << hex << region->begin << " End address: 0x" << hex << region->end << " Memory permissions: " << region->perms << " Number of memory blocks requested: " << count << endl << endl << endl << endl;
    }

Code like this is Not Support public static final byte[] THUMB_CODE1 = {(byte) 0xD3, (byte) 0xE8, (byte) 0xEF, 0x4F}; // ldaex r4, [r3]

Similar Instruction like public static final byte[] THUMB_CODE2 = {(byte) 0xC3, (byte) 0xE8, (byte) 0xE5,0x2F} // stlex r5, r2, [r3] is also not support

These occur in simulate android "libc.so",in function "pthread_key_create".Am I wrong when using unicon?

code is here： pthread_key_create
.text:00047964
.text:00047964 ; __unwind { .text:00047964 PUSH {R4,R5,R7,LR} .text:00047966 LDR.W R12, =(_ZL7key_map - 0x47972) .text:0004796A MOV.W LR, #0 .text:0004796E ADD R12, PC ; key_map .text:00047970 .text:00047970 loc_47970 ; CODE XREF: .text:000479A0↓j .text:00047970 LDR.W R2, [R12,LR,LSL#3] .text:00047974 ADD.W R3, R12, LR,LSL#3 .text:00047978 B loc_47994 .text:00047978 ; --------------------------------------------------------------------------- .text:0004797A unk_4797A DCB 0xD3 ; CODE XREF: .text:00047996↓j .text:0004797B DCB 0xE8 .text:0004797C DCB 0xEF .text:0004797D DCB 0x4F ; O .text:0004797E ; --------------------------------------------------------------------------- .text:0004797E CMP R4, R2 .text:00047980 BNE loc_4798E .text:00047982 ADDS R2, #1 .text:00047982 ; --------------------------------------------------------------------------- .text:00047984 DCB 0xC3 .text:00047985 DCB 0xE8 .text:00047986 DCB 0xE5 .text:00047987 DCB 0x2F ; / .text:00047988 ; --------------------------------------------------------------------------- .text:00047988 MOV R2, R4 .text:0004798A CBNZ R5, loc_47994 .text:0004798C B loc_479A6 .text:0004798E ; -----------------------------------------------

Environment

• OS: Ubuntu 22.04.1 LTS (Linux 5.15.0)
• Unicorn: 2.0.0 (6c1cbef6)
• CMake: 3.22.1
• GCC: 11.3.0

Issue

uc_emu_start() doesn't stop emulation at an address specified by until. Its PoC is the following C program:

#include <stdio.h>
#include <stdlib.h>

#include <unicorn/unicorn.h>
#include <capstone/capstone.h>

// x86_64 machine code.
const char target_code[] = \
"\xf3\x0f\x1e\xfa\x55\x48\x89\xe5\xc7\x45\xf8\x00\x00\x00\x00\xc7" \
"\x45\xfc\x00\x00\x00\x00\xeb\x1a\x83\x7d\xf8\x00\x75\x09\xc7\x45" \
"\xf8\x01\x00\x00\x00\xeb\x07\xc7\x45\xf8\x00\x00\x00\x00\x83\x45" \
"\xfc\x01\x83\x7d\xfc\x04\x7e\xe0\x90\x90\x5d\xc3";

// base address.
const uint64_t base_addr = 0x08000000;
// .text section offset.
const uint64_t text_offset = 0x40;
// .text section address.
const uint64_t text_addr = base_addr + text_offset;
// stack top offset.
const uint64_t stack_top_offset = 0x1fff;
// stack top address.
const uint64_t stack_top_addr = base_addr + stack_top_offset;

//
// a callback for tracing translation blocks.
//
static void
hook_block(uc_engine *uc, uint64_t address, uint32_t size, void *user_data)
{
    uc_err uerr;

    fprintf(stdout, ">>> Tracing basic block at 0x%" PRIx64 ", block size = 0x%x\n", address, size);

    // disassemble with capstone.
    csh handle;
    cs_err cerr;
    if ((cerr = cs_open(CS_ARCH_X86, CS_MODE_64, &handle))) {
        fprintf(stderr, "Failed to cs_open() with error returned %u: %s\n", cerr, cs_strerror(cerr));
        return;
    }
    uint8_t *code = (uint8_t *)malloc(sizeof(uint8_t) * size);
    if ((uerr = uc_mem_read(uc, address, (void *)code, size))) {
        fprintf(stderr, "Failed to uc_mem_read() with error returned %u: %s\n", uerr, uc_strerror(uerr));
        return;
    }
    size_t count = 0;
    cs_insn *insn;
    if ((count = cs_disasm(handle, code, size, address, 0, &insn)) > 0) {
        for (size_t i = 0; i < count; i++) {
            fprintf(stdout, "\t0x%"PRIx64":\t%s\t\t%s\n", insn[i].address, insn[i].mnemonic, insn[i].op_str);
        }
        cs_free(insn, count);
    } else {
        fprintf(stderr, "\tFailed to disassemble.\n");
    }

    free(code);
    if ((cerr = cs_close(&handle))) {
        fprintf(stderr, "Failed to cs_close() with error returned %u: %s\n", cerr, cs_strerror(cerr));
        return;
    }
}

int
main(int argc, char *argv[])
{
    uc_engine *uc;
    uc_err err;
    uc_hook trace;

    // initialize a uc_engine instance.
    if ((err = uc_open(UC_ARCH_X86, UC_MODE_64, &uc))) {
        fprintf(stderr, "Failed to uc_open() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }

    // allocate 8KiB memory for emulation.
    if ((err = uc_mem_map(uc, base_addr, 8 * 1024, UC_PROT_ALL))) {
        fprintf(stderr, "Failed to uc_mem_map() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }

    // write the target code to the memory.
    if ((err = uc_mem_write(uc, text_addr, (void *)target_code, sizeof(target_code) - 1))) {
        fprintf(stderr, "Failed to uc_mem_write() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }

    // add a block-tracing hook.
    if ((err = uc_hook_add(uc, &trace, UC_HOOK_BLOCK, hook_block, NULL, 1, 0))) {
        fprintf(stderr, "Failed to uc_hook_add() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }

    // initialize stack-related registers.
    int rbp = stack_top_addr;
    int rsp = stack_top_addr;
    if ((err = uc_reg_write(uc, UC_X86_REG_RBP, &rbp))) {  // rbp
        fprintf(stderr, "Failed to uc_reg_write() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }
    if ((err = uc_reg_write(uc, UC_X86_REG_RSP, &rsp))) {  // rsp
        fprintf(stderr, "Failed to uc_reg_write() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }

    fprintf(stdout, "==================== 1. Run emulation until it hits 0x08000058 or runs 0x7fff instructions. ====================\n");
    uint64_t eip = text_addr;
    if ((err = uc_emu_start(uc, eip, 0x08000058, 0, 0x7fff))) {
        fprintf(stderr, "Failed to uc_emu_start() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }
    fprintf(stdout, ">>> Execution stoped.\n");
    if ((err = uc_reg_read(uc, UC_X86_REG_EIP, &eip))) {
        fprintf(stderr, "Failed to uc_reg_read() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }
    fprintf(stdout, ">>> eip: 0x%"PRIx64"\n", eip);
    fprintf(stdout, "\n");

    fprintf(stdout, "==================== 2. Run just one instruction. =====================\n");
    if ((err = uc_emu_start(uc, eip, UINT64_MAX, 0, 1))) {
        fprintf(stderr, "Failed to uc_emu_start() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }
    fprintf(stdout, ">>> Execution stoped.\n");
    if ((err = uc_reg_read(uc, UC_X86_REG_EIP, &eip))) {
        fprintf(stderr, "Failed to uc_reg_read() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }
    fprintf(stdout, ">>> eip: 0x%"PRIx64"\n", eip);
    fprintf(stdout, "\n");

    fprintf(stdout, "==================== 3. Again, run emulation until it hits 0x08000058 or runs 0x7fff instructions. ====================\n");
    if ((err = uc_emu_start(uc, eip, 0x08000058, 0, 0x7fff))) {
        fprintf(stderr, "Failed to uc_emu_start() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }
    fprintf(stdout, ">>> Execution stoped.\n");
    if ((err = uc_reg_read(uc, UC_X86_REG_EIP, &eip))) {
        fprintf(stderr, "Failed to uc_reg_read() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }
    fprintf(stdout, ">>> eip: 0x%"PRIx64"\n", eip);
    fprintf(stdout, "\n");

    if ((err = uc_close(uc))) {
        fprintf(stderr, "Failed to uc_close() with error returned %u: %s\n", err, uc_strerror(err));
        return -1;
    }

    return 0;
}

This program calls uc_emu_start() three times:

1. Run emulation until it hits 0x08000058 or runs 0x7fff instructions.
2. Run just one instruction.
3. Again, run emulation until it hits 0x08000058 or runs 0x7fff instructions.

The output of this program is as follows:

==================== 1. Run emulation until it hits 0x08000058 or runs 0x7fff instructions. ====================
[uc] translate tb 0x8000040: 360.094000us                     
>>> Tracing basic block at 0x8000040, block size = 0x18
        0x8000040:      endbr64                                             
        0x8000044:      push            rbp
        0x8000045:      mov             rbp, rsp      
        0x8000048:      mov             dword ptr [rbp - 8], 0
        0x800004f:      mov             dword ptr [rbp - 4], 0
        0x8000056:      jmp             0x8000072
[uc] exec tb 0x8000040: 2093.186000us                                       
[uc] translate tb 0x8000072: 17.673000us              
>>> Tracing basic block at 0x8000072, block size = 0x6        
        0x8000072:      cmp             dword ptr [rbp - 4], 4
        0x8000076:      jle             0x8000058                           
[uc] exec tb 0x8000072: 38.650000us                                         
[uc] translate tb 0x8000058: 2.440000us                
>>> Execution stoped.                                                       
>>> eip: 0x8000058                                                          

==================== 2. Run just one instruction. =====================
[uc] translate tb 0x8000058: 12.431000us                                    
>>> Tracing basic block at 0x8000058, block size = 0x6
        0x8000058:      cmp             dword ptr [rbp - 8], 0
        0x800005c:      jne             0x8000067
[uc] exec tb 0x8000058: 40.663000us                                         
>>> Execution stoped.                                                       
>>> eip: 0x800005c

==================== 3. Again, run emulation until it hits 0x08000058 or runs 0x7fff instructions. ====================
[uc] translate tb 0x800005c: 19.594000us
>>> Tracing basic block at 0x800005c, block size = 0x2
        0x800005c:      jne             0x8000067
[uc] exec tb 0x800005c: 51.028000us
[uc] translate tb 0x800005e: 20.807000us
>>> Tracing basic block at 0x800005e, block size = 0x9
        0x800005e:      mov             dword ptr [rbp - 8], 1
        0x8000065:      jmp             0x800006e
[uc] exec tb 0x800005e: 63.323000us
[uc] translate tb 0x800006e: 32.649000us
>>> Tracing basic block at 0x800006e, block size = 0xa
        0x800006e:      add             dword ptr [rbp - 4], 1
        0x8000072:      cmp             dword ptr [rbp - 4], 4
        0x8000076:      jle             0x8000058
[uc] exec tb 0x800006e: 69.026000us
>>> Tracing basic block at 0x8000058, block size = 0x6
        0x8000058:      cmp             dword ptr [rbp - 8], 0
        0x800005c:      jne             0x8000067
[uc] exec tb 0x8000058: 56.497000us
[uc] translate tb 0x8000067: 41.810000us
>>> Tracing basic block at 0x8000067, block size = 0x11
        0x8000067:      mov             dword ptr [rbp - 8], 0
        0x800006e:      add             dword ptr [rbp - 4], 1
        0x8000072:      cmp             dword ptr [rbp - 4], 4
        0x8000076:      jle             0x8000058
[uc] exec tb 0x8000067: 92.436000us
>>> Tracing basic block at 0x8000058, block size = 0x6
        0x8000058:      cmp             dword ptr [rbp - 8], 0
        0x800005c:      jne             0x8000067
[uc] exec tb 0x8000058: 55.975000us
>>> Tracing basic block at 0x800005e, block size = 0x9
        0x800005e:      mov             dword ptr [rbp - 8], 1
        0x8000065:      jmp             0x800006e
>>> Tracing basic block at 0x800006e, block size = 0xa
        0x800006e:      add             dword ptr [rbp - 4], 1
        0x8000072:      cmp             dword ptr [rbp - 4], 4
        0x8000076:      jle             0x8000058
>>> Tracing basic block at 0x8000058, block size = 0x6
        0x8000058:      cmp             dword ptr [rbp - 8], 0
        0x800005c:      jne             0x8000067
>>> Tracing basic block at 0x8000067, block size = 0x11
        0x8000067:      mov             dword ptr [rbp - 8], 0
        0x800006e:      add             dword ptr [rbp - 4], 1
        0x8000072:      cmp             dword ptr [rbp - 4], 4
        0x8000076:      jle             0x8000058
>>> Tracing basic block at 0x8000058, block size = 0x6
        0x8000058:      cmp             dword ptr [rbp - 8], 0
        0x800005c:      jne             0x8000067
>>> Tracing basic block at 0x800005e, block size = 0x9
        0x800005e:      mov             dword ptr [rbp - 8], 1
        0x8000065:      jmp             0x800006e
>>> Tracing basic block at 0x800006e, block size = 0xa
        0x800006e:      add             dword ptr [rbp - 4], 1
        0x8000072:      cmp             dword ptr [rbp - 4], 4
        0x8000076:      jle             0x8000058
[uc] exec tb 0x800005e: 437.196000us
[uc] translate tb 0x8000078: 34.233000us
>>> Tracing basic block at 0x8000078, block size = 0x4
        0x8000078:      nop
        0x8000079:      nop
        0x800007a:      pop             rbp
        0x800007b:      ret
[uc] exec tb 0x8000078: 82.262000us
Failed to uc_emu_start() with error returned 6: Invalid memory read (UC_ERR_READ_UNMAPPED)

Unfortunately, the third uc_emu_start() doesn't stop even though it has hit 0x08000058.

Cause

AFAIK, the cause of this issue is QEMU's TB cache. Unicorn inserts TCG-IRs, which stop emulation when it hits until, when translating guest codes. Since QEMU doesn't know about it, it can re-execute TBs on the TB cache (with no code inserted for stopping emulation).

Solution/Workaround

I'm looking for a solution/workaround to this issue. One of the most reasonable workarounds is removing TB cache entries, including the address until before calling uc_emu_start(). For example:

uc_ctl_remove_cache(uc, until, until + 1);
uc_emu_start(uc, begin, until, timeout, count);

Are there any other solutions/workarounds?

The following code will raise unicorn.unicorn.UcError: Invalid argument (UC_ERR_ARG) ··· mu = Uc(UC_ARCH_ARM64, UC_MODE_ARM) address=0x10000 mu.mem_map(address, 1024*1024) mu.mem_map(0x7dd9cfb6c0, 1024) ··· but I change the last code to mu.mem_map(0x7dd9cfb000, 1024) I will work? Why?

Consider a scheduling mechanism based on number of instructions (i.e. switching context every n instructions):

while True:
     uc.restore(ctx)
     uc.emu_start(start_address, end_address, count=30000)
     ctx = uc.save()
     # do thread scheduling here

It appears that there is a problem with the delay slot on MIPS: in cases where the emulation stops just betrween the branch and the delay slot (i.e. branch has been taken into account, but the delay slot wasn't), the emulation will resume in the delay slot without remembering it was a delay slot, proceeding to the next instruction (address_of_slot + 4) instead of the original branch target.

Consider the following two runs of the same binary, where the difference is only in the switching point (i.e. count value).

Run 1: the branch (0040adf0) is appropriately taken

[running] 0040ace0 : jr       $ra               : state = 5ce982babced6a7e6156352e69f25317449ee14995341792121050f3209a376c
[running] 0040ace4 : move     $v0, $zero        : state = 10fa1031d22142bbae2b3950bdb31e762ad1732ad203354c1842b8a694a3e4b2
[running] 0040adec : lw       $gp, 0x10($sp)    : state = 10bf68088ff837760235c720ca9bb1d331d825046f59d04b03757d081993cc23
[running] 0040adf0 : b        0xad60            : state = d52343ac9cbd6638180379d6d4c085ce23bc2ecf587bc1ef3eae94d5be070720
[running] 0040adf4 : move     $s3, $v0          : state = dd6eb753d63e00471bfd8434e436b8065e48957c3a31823724f87c42875bd13a
[running] 0040ad60 : addiu    $a2, $s1, 8       : state = 4c9e89248b6b43d0c4b952e735da2ed202c095910a57ddcd0f9c8cafac3f4afe
[running] 0040ad64 : lw       $s1, -0x7e34($gp) : state = fd7a84dd509c6a34e08e11545e27c08e1a7ab2d6c5b921225f4ef6261a1b344b

Run 2: context is switched just between the branch (0040adf0) and the delay slot (0040adf4)

[running] 0040ace0 : jr       $ra               : state = 5ce982babced6a7e6156352e69f25317449ee14995341792121050f3209a376c
[running] 0040ace4 : move     $v0, $zero        : state = 10fa1031d22142bbae2b3950bdb31e762ad1732ad203354c1842b8a694a3e4b2
[running] 0040adec : lw       $gp, 0x10($sp)    : state = 10bf68088ff837760235c720ca9bb1d331d825046f59d04b03757d081993cc23
[running] 0040adf0 : b        0xad60            : state = d52343ac9cbd6638180379d6d4c085ce23bc2ecf587bc1ef3eae94d5be070720
[stopped] 0040adf4 : move     $s3, $v0          : state = 3037a37fdf5c9af1660725b978028b0eb3ce48f9585de0bdd56507dace8aa919
[running] 0040adf4 : move     $s3, $v0          : state = 3037a37fdf5c9af1660725b978028b0eb3ce48f9585de0bdd56507dace8aa919
[running] 0040adf8 : addiu    $v0, $zero, 1     : state = a47d219a7e22f52f0f7807f428c692baa1441b648ed24edcbd11c4c70c3ac88e
[running] 0040adfc : lw       $s4, 0x30($sp)    : state = 28faa4e990114295d1564334e8973014e50a1e8bea7212a35fe12bb8f34dcbc1

Notes:

• The [stopped] label shows the next instruction to resume from; it has not been executed yet
• The state is a sha256 digest of all arch registers values concatenated together

Note that the state for delay slot (0040adf4) is different between the two runs, which may indicate that there is an information missing / not updated correctly.