AFL-Unicorn: fuzz any architecture supported by Unicorn

afl-unicorn let’s you fuzz any piece of binary that can be emulated by Unicorn Engine.





[…]Unicorn Mode works by implementing the block-edge instrumentation that AFL’s QEMU Mode normally does into Unicorn Engine. Basically, AFL will use block coverage information from any emulated code snippet to drive its input generation. The whole idea revolves around proper construction of a Unicorn-based test harness, as shown in the figure below:


uEmu: Unicorn-based emulator plugin for IDA

uEmu is a tiny cute emulator plugin for IDA based on unicorn engine.

Supports following architectures out of the box: x86, x64, ARM, ARM64.

What is it GOOD for?
* Emulate bare metal code (bootloaders, embedded firmware etc)
* Emulate standalone functions



Unicorn Emulator 1.0.1 released

Nguyen Anh Quynh announced the 1.0.1 release of the Unicorn CPU Emulator.

[unicorn-engine] Unicorn Emulator v1.0.1 is out!
We are excited to announce version 1.0.1 for Unicorn CPU Emulator framework! This is a stable release, in which we fixed some issues in the core, added some features on Arm, Arm64, Mips & X86. […]




Unicorn-based EFI emulator?

OSX Reverser has a new blog post on Apple EFI firmware passwords:

[…] This is when I had an idea! How about creating an EFI emulator and debugger using the Unicorn Engine framework? I had a feeling this wouldn’t be extremely hard and time consuming because the EFI environment is self contained – for example no linkers and syscalls to emulate. I also knew that this binary was more or less isolated, only using a few Boot and RunTime services and very few external protocols. Since the total number of Boot and RunTime services are very small this meant that there wasn’t a lot of code to be emulated. And with a couple of days work the EFI DXE Emulator was born. To my surprise I was finally able to run and debug an EFI binary in userland, speeding the reverse engineering process up immensely and quickly providing insight to previously tricky code. […]

Apple EFI firmware passwords and the SCBO myth

Apple EFI firmware passwords and the SCBO myth

Looking forward to an URL to this EFISwissKnife IDA plugin, and ESPECIALLY this new Unicorn-based EFI emulator! I can’t find an URL yet, though. 😦


ARMSCGen: ARM Shellcode Generator

ARM Shellcode Generator: Shellcodes for ARM/Thumb mode. Ideas came from shell-storm and pwntools/pwnies. Thanks to share all of brilliant sources on the net. I’m interested in mobile platform and archtecture like Android on ARM, Router on MIPS and so on. This project named ARMSCGen focus on shellcode on ARM Architecture especially ARMv7 Thumb Mode.




ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks. It adopts a set of different techniques to analyze ROP chains and reconstruct their equivalent code in a form that can be analyzed by traditional reverse engineering tools. In particular, it is based on memory forensics (as its input is a physical memory dump), code emulation (to faithfully rebuild the original ROP chain), multi-path execution (to extract the ROP chain payload), CFG recovery (to rebuild the original control flow), and a number of compiler transformations (to simplify the final instructions of the ROP chain). Specifically, the memory forensics part is based on Volatility plugins. The emulation and the multi-path part is implemented through the Unicorn emulator. […]




cemu – Cheap EMUlator: Qt GUI of Keystone, Unicode, Capstone

Hugsy has created cemu, the Cheap EMUlator that shellcoders will enjoy:

Cheap EMUlator is a simple tool to combine together all the features of Keystone, Unicorn and Capstone engines in a Qt powered GUI. It allows to test binary samples, check your shellcodes or even simply learn how to write assembly code, all of this for the following architectures:

    x86-32 / x86-64
    Arm / AArch64
    MIPS / MIPS64
    (more to come)

    unicorn and its Python bindings, as the emulation engine
    keystone and its Python bindings, as the assembly engine
    capstone and its Python bindings, as the disassembly engine
    PyQt5 for the GUI
    pygments for the text colorization

Moar info: