How to use unicorn - 10 common examples
To help you get started, we’ve selected a few unicorn examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
unicorn-engine / unicorn / tests / regress / jmp_ebx_hang.py View on Github 
mu.mem_map(CODE_ADDR, 1024 * 4)
mu.mem_write(CODE_ADDR, CODE)
# If EBX is zero then an exception is raised, as expected
mu.reg_write(unicorn.x86_const.UC_X86_REG_EBX, 0x0)
print(">>> jmp ebx (ebx = 0)");
with self.assertRaises(UcError) as m:
mu.emu_start(CODE_ADDR, CODE_ADDR + 2, count=1)
self.assertEqual(m.exception.errno, UC_ERR_FETCH_UNMAPPED)
print(">>> jmp ebx (ebx = 0xaa96a47f)");
mu = unicorn.Uc(UC_ARCH_X86, UC_MODE_32)
mu.mem_map(CODE_ADDR, 1024 * 4)
# If we write this address to EBX then the emulator hangs on emu_start
mu.reg_write(unicorn.x86_const.UC_X86_REG_EBX, 0xaa96a47f)
mu.mem_write(CODE_ADDR, CODE)
with self.assertRaises(UcError) as m:
mu.emu_start(CODE_ADDR, CODE_ADDR + 2, count=1)
self.assertEqual(m.exception.errno, UC_ERR_FETCH_UNMAPPED)def test_seg1(self):
u = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_32)
u.mem_map(0x2000, 0x1000)
u.mem_read(0x2000, 1)
for i in range(50):
u = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_32)
u.mem_map(i*0x1000, 0x1000)
u.mem_read(i*0x1000, 1)
for i in range(20):
with self.assertRaises(UcError):
u = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_32)
u.mem_map(i*0x1000, 5)
u.mem_read(i*0x1000, 1)#!/usr/bin/env python
"""https://github.com/unicorn-engine/unicorn/issues/165"""
import unicorn
def hook_mem_read_unmapped(mu, access, address, size, value, user_data):
pass
mu = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_32)
try:
for x in range(0, 1000):
mu.hook_add(unicorn.UC_HOOK_MEM_READ_UNMAPPED, hook_mem_read_unmapped, None)
except unicorn.UcError as e:
print("ERROR: %s" % e)#!/usr/bin/env python
"""https://github.com/unicorn-engine/unicorn/issues/165"""
import unicorn
def hook_mem_read_unmapped(mu, access, address, size, value, user_data):
pass
mu = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_32)
try:
for x in range(0, 1000):
mu.hook_add(unicorn.UC_HOOK_MEM_READ_UNMAPPED, hook_mem_read_unmapped, None)
except unicorn.UcError as e:
print("ERROR: %s" % e)def test_eflags(self):
# xor r14,r14
CODE = 'M1\xf6'
uc = U.Uc(U.UC_ARCH_X86, U.UC_MODE_64)
uc.reg_write(U.x86_const.UC_X86_REG_RIP, 0x6000b0)
uc.reg_write(U.x86_const.UC_X86_REG_EFLAGS, 0x200)
uc.mem_map(0x600000, 0x1000)
uc.mem_write(0x6000b0, CODE)
uc.emu_start(0x6000b0, 0, count=1)
# Here's the original execution trace for this on actual hardware.
#
# (gdb) x/i $pc
# => 0x6000b0: xor %r14,%r14
# (gdb) p/x $eflags
# $1 = 0x200
# (gdb) p $eflags
# $2 = [ IF ]
# (gdb) si# Here's the original execution trace for this on actual hardware.
#
# (gdb) x/i $pc
# => 0x6000b0: xor %r14,%r14
# (gdb) p/x $eflags
# $1 = 0x200
# (gdb) p $eflags
# $2 = [ IF ]
# (gdb) si
# 0x00000000006000b3 in ?? ()
# (gdb) p/x $eflags
# $3 = 0x246
# (gdb) p $eflags
# $4 = [ PF ZF IF ]
self.assertEqual(0x6000b3, uc.reg_read(U.x86_const.UC_X86_REG_RIP))
self.assertEqual(0x246, uc.reg_read(U.x86_const.UC_X86_REG_EFLAGS))err_msg = 'unhandled error'
if err == self.ERR_INVALID_TID:
err_msg = 'invalid thread id'
elif err == self.ERR_INVALID_CONTEXT:
err_msg = 'invalid context'
raise self.EmulatorSetupFailedError('Setup failed: %s' % err_msg)
# calculate the start address
address = self._next_instruction
if address == 0:
if self.uc._arch == unicorn.UC_ARCH_ARM:
address = self.uc.reg_read(unicorn.arm_const.UC_ARM_REG_PC)
elif self.uc._arch == unicorn.UC_ARCH_ARM64:
address = self.uc.reg_read(unicorn.arm64_const.UC_ARM64_REG_PC)
elif self.uc._arch == unicorn.UC_ARCH_X86 and self.uc._mode == unicorn.UC_MODE_32:
address = self.uc.reg_read(unicorn.x86_const.UC_X86_REG_EIP)
elif self.uc._arch == unicorn.UC_ARCH_X86 and self.uc._mode == unicorn.UC_MODE_64:
address = self.uc.reg_read(unicorn.x86_const.UC_X86_REG_RIP)
else:
raise self.EmulatorSetupFailedError('Unsupported arch')
if until > 0:
self.log_to_ui('[*] start emulation from %s to %s' % (hex(address), hex(self.end_ptr)))
else:
if step_mode == STEP_MODE_NONE or step_mode == STEP_MODE_SINGLE:
self.log_to_ui('[*] stepping %s' % hex(address))
elif step_mode == STEP_MODE_FUNCTION:
self.log_to_ui('[*] stepping to next function call')
elif step_mode == STEP_MODE_JUMP:
self.log_to_ui('[*] stepping to next jump')
self.onEmulatorStart.emit()if err == self.ERR_INVALID_TID:
err_msg = 'invalid thread id'
elif err == self.ERR_INVALID_CONTEXT:
err_msg = 'invalid context'
raise self.EmulatorSetupFailedError('Setup failed: %s' % err_msg)
# calculate the start address
address = self._next_instruction
if address == 0:
if self.uc._arch == unicorn.UC_ARCH_ARM:
address = self.uc.reg_read(unicorn.arm_const.UC_ARM_REG_PC)
elif self.uc._arch == unicorn.UC_ARCH_ARM64:
address = self.uc.reg_read(unicorn.arm64_const.UC_ARM64_REG_PC)
elif self.uc._arch == unicorn.UC_ARCH_X86 and self.uc._mode == unicorn.UC_MODE_32:
address = self.uc.reg_read(unicorn.x86_const.UC_X86_REG_EIP)
elif self.uc._arch == unicorn.UC_ARCH_X86 and self.uc._mode == unicorn.UC_MODE_64:
address = self.uc.reg_read(unicorn.x86_const.UC_X86_REG_RIP)
else:
raise self.EmulatorSetupFailedError('Unsupported arch')
if until > 0:
self.log_to_ui('[*] start emulation from %s to %s' % (hex(address), hex(self.end_ptr)))
else:
if step_mode == STEP_MODE_NONE or step_mode == STEP_MODE_SINGLE:
self.log_to_ui('[*] stepping %s' % hex(address))
elif step_mode == STEP_MODE_FUNCTION:
self.log_to_ui('[*] stepping to next function call')
elif step_mode == STEP_MODE_JUMP:
self.log_to_ui('[*] stepping to next jump')
self.onEmulatorStart.emit()
# invalidate prefs before startdef place_input(uc, input):
import util
from unicorn.x86_const import UC_X86_REG_RDI, UC_X86_REG_RSI
if len(input) > 512:
import os
os._exit(0) # probably too big anyway.
# ulong decode_negTokenInit(char *security_blob, ulong length, byte *param_3) => RDI, RSI, ...
# read input to the correct position at param rdi here:
rdi = uc.reg_read(UC_X86_REG_RDI)
#rsi = uc.reg_read(UC_X86_REG_RSI)
util.map_page_blocking(uc, rdi) # ensure security_blob is mapped
uc.mem_write(rdi, input) # insert afl input
uc.reg_write(UC_X86_REG_RSI, len(input)) # write lengthdef place_input_skb(ucf: Unicorefuzz, uc: Uc, input: bytes) -> None:
"""
Places the input in memory and alters the input.
This is an example for sk_buff in openvsswitch
"""
if len(input) > 1500:
import os
os._exit(0) # too big!
# read input to the correct position at param rdx here:
rdx = uc.reg_read(UC_X86_REG_RDX)
rdi = uc.reg_read(UC_X86_REG_RDI)
ucf.map_page_blocking(uc, rdx) # ensure sk_buf is mapped
bufferPtr = struct.unpack("
Popular unicorn functions
- unicorn.arm64_const
- unicorn.arm_const
- unicorn.mips_const
- unicorn.Uc
- unicorn.Uc.hook_del
- unicorn.Uc.mem_unmap
- unicorn.UC_ARCH_ARM
- unicorn.UC_ARCH_ARM64
- unicorn.UC_ARCH_MIPS
- unicorn.UC_ARCH_X86
- unicorn.UC_HOOK_CODE
- unicorn.UC_MODE_32
- unicorn.UC_MODE_64
- unicorn.UC_MODE_ARM
- unicorn.UC_MODE_LITTLE_ENDIAN
- unicorn.UC_MODE_THUMB
- unicorn.UcError
- unicorn.x86_const
- unicorn.x86_const.UC_X86_REG_RDI
- unicorn.x86_const.UC_X86_REG_RIP