This document discusses the Unicorn CPU emulator engine. It provides an overview of CPU emulation and the challenges involved. Unicorn is presented as an open source, lightweight alternative to Qemu that supports multiple architectures. Its features like clean APIs, JIT compilation, and instrumentation capabilities are highlighted. Demos are shown of Unicorn being used in tools like Radare2 and Cuckoo. The document concludes with references for learning more about Unicorn.

1. Unicorn: The
Ultimate CPU
Emulator
Akshay Ajayan (@r00tus3r)

2. About me
➢ Akshay Ajayan (@r00tus3r)
➢ Third year B.Tech CSE Undergraduate
○ @Amrita Vishwa Vidyapeetham
➢ CTF Player
○ @teambi0s
➢ Focusing on Software Reverse Engineering

3. Agenda
➢ CPU Emulator
➢ Unicorn Engine
○ Challenges
○ Qemu vs Unicorn
➢ Demo
➢ Summary

4. CPU Emulator
Emulates physical CPU using software only

5. Internals of a CPU Emulator
➢ Decode binary into separate instructions
➢ Emulate exactly what each instruction does
○ ISA Manual reference is required
○ Handle memory access & I/O upon
requested
➢ Update CPU context after each step

6. Example of emulation
➢ Ex: 01D1 → add eax, ebx
○ load eax & ebx registers
○ add values of eax & ebx, then copy result
to eax
○ update flags OF, SF, ZF, AF, CF, PF
accordingly

7. Applications
➢ Emulate the code without needing to have a
real CPU
➢ Safely analyze malware code, detect virus
signature
➢ Verify code semantics in reversing

8. Unicorn Engine
➢ Open source CPU emulator framework
○ www.unicorn-engine.org
➢ Developed by:
○ Nguyen Anh Quynh
■ Computer Security Researcher
○ Dang Hoang Vu
■ Security engineer and researcher

9. Features
➢ Multi-architectures: Arm, Arm64 (Armv8), M68K,
Mips, Sparc, & X86 (include X86_64)
➢ Clean/simple/lightweight architecture-neutral
API
➢ Implemented in pure C language, with bindings
for Perl, Rust, Python, Java, Go etc

10. ➢ Native support for Windows & *nix (with Mac
OSX, Linux, *BSD & Solaris confirmed)
➢ High performance by using JIT compiler
technique
➢ Support fine-grained instrumentation at various
levels

11. How was it built?
➢ Forked Qemu?
➢ Were there any challenges?
➢ How is it different?

12. Unicorn vs Qemu
➢ Independent and flexible framework
➢ Much more compact in size, lightweight in
memory
➢ Thread-safe with multiple architectures
supported in a single binary
➢ Provide interface for dynamic instrumentation
➢ And many more...

13. Showcase
➢ Radare2
➢ Angr
➢ Usercorn
➢ Cuckoo
➢ Pwndbg
➢ ROPChain
➢ Unicorn.Js
➢ Pwntools

14. Intro to Unicorn API
➢ The core provides API in C
○ open & close Unicorn instance
○ start & stop emulation
○ read & write memory & registers
○ instrument with user-defined callbacks
for instructions/single-step/memory
event etc
➢ Bindings for multiple languages

15. Demo 1

16. Demo 2

17. Demo 3

18. Summary
➢ Open source CPU emulator framework
➢ Multi-architecture, Multi-platform
➢ Core in pure C, and support for multiple
binding languages
➢ Build your own tools on top of it
➢ Allows instrumentation at various levels
Questions?
Ping @r00tus3r

19. References
➢ www.unicorn-engine.org
➢ www.unicorn-engine.org/BHUSA2015-unic
orn.pdf
➢ www.eternal.red/2018/unicorn-engine-tuto
rial