How to use the unicorn.UC_MODE_64 function in unicorn
To help you get started, we’ve selected a few unicorn examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
iGio90 / Dwarf / lib / emulator.py View on Github 
if err == self.ERR_INVALID_TID:
err_msg = 'invalid thread id'
elif err == self.ERR_INVALID_CONTEXT:
err_msg = 'invalid context'
raise self.EmulatorSetupFailedError('Setup failed: %s' % err_msg)
# calculate the start address
address = self._next_instruction
if address == 0:
if self.uc._arch == unicorn.UC_ARCH_ARM:
address = self.uc.reg_read(unicorn.arm_const.UC_ARM_REG_PC)
elif self.uc._arch == unicorn.UC_ARCH_ARM64:
address = self.uc.reg_read(unicorn.arm64_const.UC_ARM64_REG_PC)
elif self.uc._arch == unicorn.UC_ARCH_X86 and self.uc._mode == unicorn.UC_MODE_32:
address = self.uc.reg_read(unicorn.x86_const.UC_X86_REG_EIP)
elif self.uc._arch == unicorn.UC_ARCH_X86 and self.uc._mode == unicorn.UC_MODE_64:
address = self.uc.reg_read(unicorn.x86_const.UC_X86_REG_RIP)
else:
raise self.EmulatorSetupFailedError('Unsupported arch')
if until > 0:
self.log_to_ui('[*] start emulation from %s to %s' % (hex(address), hex(self.end_ptr)))
else:
if step_mode == STEP_MODE_NONE or step_mode == STEP_MODE_SINGLE:
self.log_to_ui('[*] stepping %s' % hex(address))
elif step_mode == STEP_MODE_FUNCTION:
self.log_to_ui('[*] stepping to next function call')
elif step_mode == STEP_MODE_JUMP:
self.log_to_ui('[*] stepping to next jump')
self.onEmulatorStart.emit()
# invalidate prefs before startdef setup_x64(self):
self.uc = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_64)
self.cs = Cs(CS_ARCH_X86, CS_MODE_64)def __init__(self, trace=True, sca_mode=False, local_vars={}):
super().__init__(trace, sca_mode)
self.emu = uc.Uc(uc.UC_ARCH_X86, uc.UC_MODE_64)
self.disasm = cs.Cs(cs.CS_ARCH_X86, cs.CS_MODE_64)
self.disasm.detail = True
self.word_size = 8
self.endianness = "little"
self.page_size = self.emu.query(uc.UC_QUERY_PAGE_SIZE)
self.page_shift = self.page_size.bit_length() - 1
self.pc = uc.x86_const.UC_X86_REG_RIP
# workaround for capstone 4
uc.x86_const.UC_X86_REG_RFLAGS = uc.x86_const.UC_X86_REG_EFLAGS
known_regs = [i[len('UC_X86_REG_'):] for i in dir(uc.x86_const) if '_REG' in i]
self.reg_map = {r.lower(): getattr(uc.x86_const, 'UC_X86_REG_'+r) for r in known_regs}
self.stubbed_functions = local_vars
self.setup(sca_mode)def get_uc_mode(self):
"""
Retrieve the mode used by Unicorn for the current architecture.
"""
arch = pwndbg.arch.current
mode = 0
if arch == 'armcm':
mode |= (U.UC_MODE_MCLASS | U.UC_MODE_THUMB) if (pwndbg.regs.xpsr & (1<<24)) else U.UC_MODE_MCLASS
elif arch in ('arm', 'aarch64'):
mode |= U.UC_MODE_THUMB if (pwndbg.regs.cpsr & (1<<5)) else U.UC_MODE_ARM
else:
mode |= {4:U.UC_MODE_32, 8:U.UC_MODE_64}[pwndbg.arch.ptrsize]
if pwndbg.arch.endian == 'little':
mode |= U.UC_MODE_LITTLE_ENDIAN
else:
mode |= U.UC_MODE_BIG_ENDIAN
return modedef __init__(self):
Emulator.__init__(self, "X86",
unicorn.UC_ARCH_X86,
unicorn.UC_MODE_64,
"rip",
64,
["rsp", "cs", "ss", "rbx", "si", "ip"])
self.syscall_regnames = ["rdi", "rsi", "rcx", "r8", "rdx",
"r9", "rbx", "rax"]
self.stackbot = "rbp"
self.stacktop = "rsp"elif architecture == "x86":
cur_arch = uc.UC_ARCH_X86
cs_arch = cs.CS_ARCH_X86
if bits == 32:
cur_mode = uc.UC_MODE_32
cs_mode = cs.CS_MODE_32
elif bits == 16:
cur_mode = uc.UC_MODE_16
cs_mode = cs.CS_MODE_16
else:
raise PimpMyRideException("Unknown %dbit for x86 architecture" % bits)
elif architecture == "x64":
cur_arch = uc.UC_ARCH_X86
cur_mode = uc.UC_MODE_64
cs_arch = cs.CS_ARCH_X86
cs_mode = cs.CS_MODE_64
else:
raise PimpMyRideException(
"Unsupported architecture %s" % architecture)
self.logger.debug("Architecture: %s %dbits" % (
architecture, bits))
self.architecture = cur_arch
self.mode = cur_mode
self._cs_arch = cs_arch
self._cs_mode = cs_modeimport capstone
import utils
bits = 64
regs = [
"rax", "rcx", "rdx", "rbx",
"rsp", "rbp", "rsi", "rdi",
"r8" , "r9" , "r10", "r11",
"r12", "r13", "r14", "r15",
"rip"
]
unicorn_arch = unicorn.UC_ARCH_X86
unicorn_mode = unicorn.UC_MODE_64
capstone_arch = capstone.CS_ARCH_X86
capstone_mode = capstone.CS_MODE_64
unicorn_regs = {}
capstone_regs = {}
for reg in regs:
unicorn_regs[reg] = getattr(unicorn.x86_const, "UC_X86_REG_" + reg.upper())
capstone_regs[reg] = getattr(capstone.x86_const, "X86_REG_" + reg.upper())
instruction_pointer = "rip"
stack_pointer = "rsp"
ip = instruction_pointer
sp = stack_pointereax = self.__uc.reg_read(UC_X86_REG_EAX)
ebx = self.__uc.reg_read(UC_X86_REG_EBX)
ecx = self.__uc.reg_read(UC_X86_REG_ECX)
edx = self.__uc.reg_read(UC_X86_REG_EDX)
edi = self.__uc.reg_read(UC_X86_REG_ESI)
esi = self.__uc.reg_read(UC_X86_REG_EDI)
ebp = self.__uc.reg_read(UC_X86_REG_EBP)
esp = self.__uc.reg_read(UC_X86_REG_ESP)
eip = self.__uc.reg_read(UC_X86_REG_EIP)
eflags = self.__uc.reg_read(UC_X86_REG_EFLAGS)
self.logger.debug(" EAX = 0x%08x EBX = 0x%08x ECX = 0x%08x EDX = 0x%08x" % (eax, ebx, ecx, edx))
self.logger.debug(" EDI = 0x%08x ESI = 0x%08x EBP = 0x%08x ESP = 0x%08x" % (edi, esi, ebp, esp))
self.logger.debug(" EIP = 0x%08x" % eip)
elif self.mode == uc.UC_MODE_64:
rax = self.__uc.reg_read(UC_X86_REG_RAX)
rbx = self.__uc.reg_read(UC_X86_REG_RBX)
rcx = self.__uc.reg_read(UC_X86_REG_RCX)
rdx = self.__uc.reg_read(UC_X86_REG_RDX)
rdi = self.__uc.reg_read(UC_X86_REG_RSI)
rsi = self.__uc.reg_read(UC_X86_REG_RDI)
rbp = self.__uc.reg_read(UC_X86_REG_RBP)
rsp = self.__uc.reg_read(UC_X86_REG_RSP)
rip = self.__uc.reg_read(UC_X86_REG_RIP)
r8 = self.__uc.reg_read(UC_X86_REG_R8)
r9 = self.__uc.reg_read(UC_X86_REG_R9)
r10 = self.__uc.reg_read(UC_X86_REG_R10)
r11 = self.__uc.reg_read(UC_X86_REG_R11)
r12 = self.__uc.reg_read(UC_X86_REG_R12)
r13 = self.__uc.reg_read(UC_X86_REG_R13)
r14 = self.__uc.reg_read(UC_X86_REG_R14)dis = idc.generate_disasm_line(addr, 0)
# is this instruction a "call reg" and IDA hasn't already identified it as something?
if ((dis[:4] == "call" or dis[:2] == "BL") and ";" not in dis and
addr not in userData["msgSendXrefs"] and
idc.get_operand_type(addr, 0) == 1):
userData["possibleMsgSendXrefs"].append(addr)
targets.append(addr)
addr = idc.next_head(addr, idc.get_inf_attr(idc.INF_MAX_EA))
userData["selXrefs"] = {}
userData["patchedSelRefs"] = {}
if eh.arch == unicorn.UC_ARCH_ARM:
emuHook = self.objc2AnalyzeHookARM
elif eh.arch == unicorn.UC_ARCH_ARM64:
emuHook = self.objc2AnalyzeHookARM64
elif eh.arch == unicorn.UC_ARCH_X86 and eh.mode == unicorn.UC_MODE_64:
emuHook = self.objc2AnalyzeHookX64
else:
logging.debug("unsupported architecture, quitting..")
eh.iterate(targets, self.targetCallback, self.preEmuCallback,
self.callHook, emuHook, userData, True)
# reload with patches
eh.initEmuHelper()
eh.reloadBinary()# x86
if is_x86_16(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_X86, keystone.KS_MODE_16, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_X86, capstone.CS_MODE_16, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_X86, unicorn.UC_MODE_16, unicorn.UC_MODE_LITTLE_ENDIAN
elif is_x86_32(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_X86, keystone.KS_MODE_32, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_X86, capstone.CS_MODE_32, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_X86, unicorn.UC_MODE_32, unicorn.UC_MODE_LITTLE_ENDIAN
elif is_x86_64(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_X86, keystone.KS_MODE_64, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_X86, capstone.CS_MODE_64, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_X86, unicorn.UC_MODE_64, unicorn.UC_MODE_LITTLE_ENDIAN
# arm
elif is_arm(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_ARM, keystone.KS_MODE_ARM, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_ARM, unicorn.UC_MODE_ARM, unicorn.UC_MODE_LITTLE_ENDIAN
elif is_arm_thumb(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_ARM, keystone.KS_MODE_THUMB, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_ARM, capstone.CS_MODE_THUMB, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_ARM, unicorn.UC_MODE_THUMB, unicorn.UC_MODE_LITTLE_ENDIAN
# aarch64
elif is_aarch64(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_ARM64, 0, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_ARM64, capstone.CS_MODE_ARM, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_ARM64, unicorn.UC_MODE_ARM, unicorn.UC_MODE_LITTLE_ENDIAN
Popular unicorn functions
- unicorn.arm64_const
- unicorn.arm_const
- unicorn.mips_const
- unicorn.Uc
- unicorn.Uc.hook_del
- unicorn.Uc.mem_unmap
- unicorn.UC_ARCH_ARM
- unicorn.UC_ARCH_ARM64
- unicorn.UC_ARCH_MIPS
- unicorn.UC_ARCH_X86
- unicorn.UC_HOOK_CODE
- unicorn.UC_MODE_32
- unicorn.UC_MODE_64
- unicorn.UC_MODE_ARM
- unicorn.UC_MODE_LITTLE_ENDIAN
- unicorn.UC_MODE_THUMB
- unicorn.UcError
- unicorn.x86_const
- unicorn.x86_const.UC_X86_REG_RDI
- unicorn.x86_const.UC_X86_REG_RIP