Download as PDF, PPTX
More Related Content
![2. [Daily hack] Citrix_waf_bypass](https://cdn.slidesharecdn.com/ss_thumbnails/dailyhackcitrixwafbypass-150408071548-conversion-gate01-thumbnail.jpg?width=640&height=640&fit=bounds)
![[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions](https://cdn.slidesharecdn.com/ss_thumbnails/hhonlyfinal-121108030835-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
More from Cysinfo Cyber Security Community
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
- 1. Unicorn: The Ultimate CPU Emulator AkshayAjayan (@r00tus3r)
- 2. About me ➢ AkshayAjayan (@r00tus3r) ➢ Third year B.Tech CSE Undergraduate ○ @Amrita Vishwa Vidyapeetham ➢ CTF Player ○ @teambi0s ➢ Focusing on Software Reverse Engineering
- 3. Agenda ➢ CPU Emulator ➢Unicorn Engine ○ Challenges ○ Qemu vs Unicorn ➢ Demo ➢ Summary
- 4. CPU Emulator Emulates physicalCPU using software only
- 5. Internals of aCPU Emulator ➢ Decode binary into separate instructions ➢ Emulate exactly what each instruction does ○ ISA Manual reference is required ○ Handle memory access & I/O upon requested ➢ Update CPU context after each step
- 6. Example of emulation ➢Ex: 01D1 → add eax, ebx ○ load eax & ebx registers ○ add values of eax & ebx, then copy result to eax ○ update flags OF, SF, ZF, AF, CF, PF accordingly
- 7. Applications ➢ Emulate thecode without needing to have a real CPU ➢ Safely analyze malware code, detect virus signature ➢ Verify code semantics in reversing
- 8. Unicorn Engine ➢ Opensource CPU emulator framework ○ www.unicorn-engine.org ➢ Developed by: ○ Nguyen Anh Quynh ■ Computer Security Researcher ○ Dang Hoang Vu ■ Security engineer and researcher
- 9. Features ➢ Multi-architectures: Arm,Arm64 (Armv8), M68K, Mips, Sparc, & X86 (include X86_64) ➢ Clean/simple/lightweight architecture-neutral API ➢ Implemented in pure C language, with bindings for Perl, Rust, Python, Java, Go etc
- 10. ➢ Native supportfor Windows & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed) ➢ High performance by using JIT compiler technique ➢ Support fine-grained instrumentation at various levels
- 11. How was itbuilt? ➢ Forked Qemu? ➢ Were there any challenges? ➢ How is it different?
- 12. Unicorn vs Qemu ➢Independent and flexible framework ➢ Much more compact in size, lightweight in memory ➢ Thread-safe with multiple architectures supported in a single binary ➢ Provide interface for dynamic instrumentation ➢ And many more...
- 13. Showcase ➢ Radare2 ➢ Angr ➢Usercorn ➢ Cuckoo ➢ Pwndbg ➢ ROPChain ➢ Unicorn.Js ➢ Pwntools
- 14. Intro to UnicornAPI ➢ The core provides API in C ○ open & close Unicorn instance ○ start & stop emulation ○ read & write memory & registers ○ instrument with user-defined callbacks for instructions/single-step/memory event etc ➢ Bindings for multiple languages
- 15.
- 16.
- 17.
- 18. Summary ➢ Open sourceCPU emulator framework ➢ Multi-architecture, Multi-platform ➢ Core in pure C, and support for multiple binding languages ➢ Build your own tools on top of it ➢ Allows instrumentation at various levels Questions? Ping @r00tus3r
- 19. References ➢ www.unicorn-engine.org ➢ www.unicorn-engine.org/BHUSA2015-unic orn.pdf ➢www.eternal.red/2018/unicorn-engine-tuto rial