SlideShare a Scribd company logo
1 of 19
Download to read offline
Unicorn: The
Ultimate CPU
Emulator
Akshay Ajayan (@r00tus3r)
About me
➢ Akshay Ajayan (@r00tus3r)
➢ Third year B.Tech CSE Undergraduate
○ @Amrita Vishwa Vidyapeetham
➢ CTF Player
○ @teambi0s
➢ Focusing on Software Reverse Engineering
Agenda
➢ CPU Emulator
➢ Unicorn Engine
○ Challenges
○ Qemu vs Unicorn
➢ Demo
➢ Summary
CPU Emulator
Emulates physical CPU using software only
Internals of a CPU Emulator
➢ Decode binary into separate instructions
➢ Emulate exactly what each instruction does
○ ISA Manual reference is required
○ Handle memory access & I/O upon
requested
➢ Update CPU context after each step
Example of emulation
➢ Ex: 01D1 → add eax, ebx
○ load eax & ebx registers
○ add values of eax & ebx, then copy result
to eax
○ update flags OF, SF, ZF, AF, CF, PF
accordingly
Applications
➢ Emulate the code without needing to have a
real CPU
➢ Safely analyze malware code, detect virus
signature
➢ Verify code semantics in reversing
Unicorn Engine
➢ Open source CPU emulator framework
○ www.unicorn-engine.org
➢ Developed by:
○ Nguyen Anh Quynh
■ Computer Security Researcher
○ Dang Hoang Vu
■ Security engineer and researcher
Features
➢ Multi-architectures: Arm, Arm64 (Armv8), M68K,
Mips, Sparc, & X86 (include X86_64)
➢ Clean/simple/lightweight architecture-neutral
API
➢ Implemented in pure C language, with bindings
for Perl, Rust, Python, Java, Go etc
➢ Native support for Windows & *nix (with Mac
OSX, Linux, *BSD & Solaris confirmed)
➢ High performance by using JIT compiler
technique
➢ Support fine-grained instrumentation at various
levels
How was it built?
➢ Forked Qemu?
➢ Were there any challenges?
➢ How is it different?
Unicorn vs Qemu
➢ Independent and flexible framework
➢ Much more compact in size, lightweight in
memory
➢ Thread-safe with multiple architectures
supported in a single binary
➢ Provide interface for dynamic instrumentation
➢ And many more...
Showcase
➢ Radare2
➢ Angr
➢ Usercorn
➢ Cuckoo
➢ Pwndbg
➢ ROPChain
➢ Unicorn.Js
➢ Pwntools
Intro to Unicorn API
➢ The core provides API in C
○ open & close Unicorn instance
○ start & stop emulation
○ read & write memory & registers
○ instrument with user-defined callbacks
for instructions/single-step/memory
event etc
➢ Bindings for multiple languages
Demo 1
Demo 2
Demo 3
Summary
➢ Open source CPU emulator framework
➢ Multi-architecture, Multi-platform
➢ Core in pure C, and support for multiple
binding languages
➢ Build your own tools on top of it
➢ Allows instrumentation at various levels
Questions?
Ping @r00tus3r
References
➢ www.unicorn-engine.org
➢ www.unicorn-engine.org/BHUSA2015-unic
orn.pdf
➢ www.eternal.red/2018/unicorn-engine-tuto
rial

More Related Content

What's hot

Plc2 2015 your own ide
Plc2 2015 your own idePlc2 2015 your own ide
Plc2 2015 your own ide
Sigasi
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
CodePackager - Pack and Unpack repositories to mobile storage
CodePackager - Pack and Unpack repositories to mobile storageCodePackager - Pack and Unpack repositories to mobile storage
CodePackager - Pack and Unpack repositories to mobile storage
Cheyin L
 

What's hot (20)

Workshop@naha_val3
Workshop@naha_val3Workshop@naha_val3
Workshop@naha_val3
 
Fundamental Virtualisasi di openSUSE
Fundamental Virtualisasi di openSUSEFundamental Virtualisasi di openSUSE
Fundamental Virtualisasi di openSUSE
 
Workshop@naha val3
Workshop@naha val3Workshop@naha val3
Workshop@naha val3
 
How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013
 
2. [Daily hack] Citrix_waf_bypass
2. [Daily hack] Citrix_waf_bypass2. [Daily hack] Citrix_waf_bypass
2. [Daily hack] Citrix_waf_bypass
 
Maemo Development Environment
Maemo Development EnvironmentMaemo Development Environment
Maemo Development Environment
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFS
 
Plc2 2015 your own ide
Plc2 2015 your own idePlc2 2015 your own ide
Plc2 2015 your own ide
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Hacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionHacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An Introduction
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
How Can OpenNebula Fit Your Needs: A European Project Feedback
How Can OpenNebula Fit Your Needs: A European Project FeedbackHow Can OpenNebula Fit Your Needs: A European Project Feedback
How Can OpenNebula Fit Your Needs: A European Project Feedback
 
Introduction to .NET
Introduction to .NETIntroduction to .NET
Introduction to .NET
 
Kernel Recipes 2013 - Kernel for your device
Kernel Recipes 2013 - Kernel for your deviceKernel Recipes 2013 - Kernel for your device
Kernel Recipes 2013 - Kernel for your device
 
Pentesting tricks - Out with Powershell, in with C#
Pentesting tricks - Out with Powershell, in with C#Pentesting tricks - Out with Powershell, in with C#
Pentesting tricks - Out with Powershell, in with C#
 
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
 
Quickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStackQuickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStack
 
Docker. Micro services for lazy developers
Docker. Micro services for lazy developersDocker. Micro services for lazy developers
Docker. Micro services for lazy developers
 
CodePackager - Pack and Unpack repositories to mobile storage
CodePackager - Pack and Unpack repositories to mobile storageCodePackager - Pack and Unpack repositories to mobile storage
CodePackager - Pack and Unpack repositories to mobile storage
 

Similar to Unicorn: The Ultimate CPU Emulator by Akshay Ajayan

[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
CODE BLUE
 
Multi-Processor computing with OpenMP
Multi-Processor computing with OpenMPMulti-Processor computing with OpenMP
Multi-Processor computing with OpenMP
Stefan Coetzee
 
EcoreTools-Next: Executable DSL made (more) accessible
EcoreTools-Next: Executable DSL made (more) accessibleEcoreTools-Next: Executable DSL made (more) accessible
EcoreTools-Next: Executable DSL made (more) accessible
Cédric Brun
 
Leveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVLeveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IV
Opersys inc.
 

Similar to Unicorn: The Ultimate CPU Emulator by Akshay Ajayan (20)

VASCAN - Docker and Security
VASCAN - Docker and SecurityVASCAN - Docker and Security
VASCAN - Docker and Security
 
Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7
 
COMPILER DESIGN.pdf
COMPILER DESIGN.pdfCOMPILER DESIGN.pdf
COMPILER DESIGN.pdf
 
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
 
Multi-Processor computing with OpenMP
Multi-Processor computing with OpenMPMulti-Processor computing with OpenMP
Multi-Processor computing with OpenMP
 
Engineer Engineering Software
Engineer Engineering SoftwareEngineer Engineering Software
Engineer Engineering Software
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
Hands on OpenCL
Hands on OpenCLHands on OpenCL
Hands on OpenCL
 
Memory Forensics in AWS
Memory Forensics in AWSMemory Forensics in AWS
Memory Forensics in AWS
 
Everything as code
Everything as codeEverything as code
Everything as code
 
Explore asp.net core 3.0 features
Explore asp.net core 3.0 featuresExplore asp.net core 3.0 features
Explore asp.net core 3.0 features
 
Embedded platform choices
Embedded platform choicesEmbedded platform choices
Embedded platform choices
 
Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019
 
EcoreTools-Next: Executable DSL made (more) accessible
EcoreTools-Next: Executable DSL made (more) accessibleEcoreTools-Next: Executable DSL made (more) accessible
EcoreTools-Next: Executable DSL made (more) accessible
 
Craftsmanship in Computational Work
Craftsmanship in Computational WorkCraftsmanship in Computational Work
Craftsmanship in Computational Work
 
Linux-Internals-and-Networking
Linux-Internals-and-NetworkingLinux-Internals-and-Networking
Linux-Internals-and-Networking
 
10 Reasons Why Java Now Rocks More Than Ever
10 Reasons Why Java Now Rocks More Than Ever10 Reasons Why Java Now Rocks More Than Ever
10 Reasons Why Java Now Rocks More Than Ever
 
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UK
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UKZephyr RTOS in One Hour | HARDWARIO @ IoT North UK
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UK
 
Leveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVLeveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IV
 
Java vs .Net
Java vs .NetJava vs .Net
Java vs .Net
 

More from Cysinfo Cyber Security Community

More from Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K A
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
 
Closer look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin ShenoiCloser look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin Shenoi
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by Monnappa
 
Analysis of android apk using adhrit by Abhishek J.M
 Analysis of android apk using adhrit by Abhishek J.M Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques   	monnappa k aUnderstanding evasive hollow process injection techniques   	monnappa k a
Understanding evasive hollow process injection techniques monnappa k a
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication  by ajithkumar vyasaraoSecurity challenges in d2d communication  by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasarao
 
S2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna aS2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna a
 
Dynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr   siddharth muraleeDynamic binary analysis using angr   siddharth muralee
Dynamic binary analysis using angr siddharth muralee
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc -	ashutosh ahelleyaBit flipping attack on aes cbc -	ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
 
Security Analytics using ELK stack
Security Analytics using ELK stack	Security Analytics using ELK stack
Security Analytics using ELK stack
 
Linux Malware Analysis
Linux Malware Analysis	Linux Malware Analysis
Linux Malware Analysis
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation	Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat	ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack	XXE - XML External Entity Attack
XXE - XML External Entity Attack
 
Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis	Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis
 

Recently uploaded

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
mbmh111980
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
Alluxio, Inc.
 

Recently uploaded (20)

AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
AI Hackathon.pptx
AI                        Hackathon.pptxAI                        Hackathon.pptx
AI Hackathon.pptx
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 

Unicorn: The Ultimate CPU Emulator by Akshay Ajayan

  • 2. About me ➢ Akshay Ajayan (@r00tus3r) ➢ Third year B.Tech CSE Undergraduate ○ @Amrita Vishwa Vidyapeetham ➢ CTF Player ○ @teambi0s ➢ Focusing on Software Reverse Engineering
  • 3. Agenda ➢ CPU Emulator ➢ Unicorn Engine ○ Challenges ○ Qemu vs Unicorn ➢ Demo ➢ Summary
  • 4. CPU Emulator Emulates physical CPU using software only
  • 5. Internals of a CPU Emulator ➢ Decode binary into separate instructions ➢ Emulate exactly what each instruction does ○ ISA Manual reference is required ○ Handle memory access & I/O upon requested ➢ Update CPU context after each step
  • 6. Example of emulation ➢ Ex: 01D1 → add eax, ebx ○ load eax & ebx registers ○ add values of eax & ebx, then copy result to eax ○ update flags OF, SF, ZF, AF, CF, PF accordingly
  • 7. Applications ➢ Emulate the code without needing to have a real CPU ➢ Safely analyze malware code, detect virus signature ➢ Verify code semantics in reversing
  • 8. Unicorn Engine ➢ Open source CPU emulator framework ○ www.unicorn-engine.org ➢ Developed by: ○ Nguyen Anh Quynh ■ Computer Security Researcher ○ Dang Hoang Vu ■ Security engineer and researcher
  • 9. Features ➢ Multi-architectures: Arm, Arm64 (Armv8), M68K, Mips, Sparc, & X86 (include X86_64) ➢ Clean/simple/lightweight architecture-neutral API ➢ Implemented in pure C language, with bindings for Perl, Rust, Python, Java, Go etc
  • 10. ➢ Native support for Windows & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed) ➢ High performance by using JIT compiler technique ➢ Support fine-grained instrumentation at various levels
  • 11. How was it built? ➢ Forked Qemu? ➢ Were there any challenges? ➢ How is it different?
  • 12. Unicorn vs Qemu ➢ Independent and flexible framework ➢ Much more compact in size, lightweight in memory ➢ Thread-safe with multiple architectures supported in a single binary ➢ Provide interface for dynamic instrumentation ➢ And many more...
  • 13. Showcase ➢ Radare2 ➢ Angr ➢ Usercorn ➢ Cuckoo ➢ Pwndbg ➢ ROPChain ➢ Unicorn.Js ➢ Pwntools
  • 14. Intro to Unicorn API ➢ The core provides API in C ○ open & close Unicorn instance ○ start & stop emulation ○ read & write memory & registers ○ instrument with user-defined callbacks for instructions/single-step/memory event etc ➢ Bindings for multiple languages
  • 18. Summary ➢ Open source CPU emulator framework ➢ Multi-architecture, Multi-platform ➢ Core in pure C, and support for multiple binding languages ➢ Build your own tools on top of it ➢ Allows instrumentation at various levels Questions? Ping @r00tus3r