Command unicorn-emulate
If you have installed unicorn
emulation engine
and its Python bindings, gef
integrates a new command to emulate instructions
of your current debugging context !
This command, unicorn-emulate
(or its alias emu
) will replicate the current
memory mapping (including the page permissions) for you, and by default (i.e.
without any additional argument), it will emulate the execution of the
instruction about to be executed (i.e. the one pointed by $pc
) and display
which register(s) is(are) tainted by it.
Use -h
for help
gef➤ emu -h
For example, the following command will execute only the next 2 instructions:
gef➤ emu -n 2
And show this:
In this example, we can see that after executing
0x80484db <main+75> xor eax,eax
0x80484dd <main+77> add esp,0x18
The registers eax
and esp
are tainted (modified).
A convenient option is -o /path/to/file.py
that will generate a pure Python
script embedding your current execution context, ready to be re-used outside
gef
!! This can be useful for dealing with obfuscation or solve crackmes if
powered with a SMT for instance.