Unicorn-based EFI emulator?

OSX Reverser has a new blog post on Apple EFI firmware passwords:

[…] This is when I had an idea! How about creating an EFI emulator and debugger using the Unicorn Engine framework? I had a feeling this wouldn’t be extremely hard and time consuming because the EFI environment is self contained – for example no linkers and syscalls to emulate. I also knew that this binary was more or less isolated, only using a few Boot and RunTime services and very few external protocols. Since the total number of Boot and RunTime services are very small this meant that there wasn’t a lot of code to be emulated. And with a couple of days work the EFI DXE Emulator was born. To my surprise I was finally able to run and debug an EFI binary in userland, speeding the reverse engineering process up immensely and quickly providing insight to previously tricky code. […]

Apple EFI firmware passwords and the SCBO myth

Apple EFI firmware passwords and the SCBO myth

Looking forward to an URL to this EFISwissKnife IDA plugin, and ESPECIALLY this new Unicorn-based EFI emulator! I can’t find an URL yet, though. 😦


ARMSCGen: ARM Shellcode Generator

ARM Shellcode Generator: Shellcodes for ARM/Thumb mode. Ideas came from shell-storm and pwntools/pwnies. Thanks to share all of brilliant sources on the net. I’m interested in mobile platform and archtecture like Android on ARM, Router on MIPS and so on. This project named ARMSCGen focus on shellcode on ARM Architecture especially ARMv7 Thumb Mode.




ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks. It adopts a set of different techniques to analyze ROP chains and reconstruct their equivalent code in a form that can be analyzed by traditional reverse engineering tools. In particular, it is based on memory forensics (as its input is a physical memory dump), code emulation (to faithfully rebuild the original ROP chain), multi-path execution (to extract the ROP chain payload), CFG recovery (to rebuild the original control flow), and a number of compiler transformations (to simplify the final instructions of the ROP chain). Specifically, the memory forensics part is based on Volatility plugins. The emulation and the multi-path part is implemented through the Unicorn emulator. […]




cemu – Cheap EMUlator: Qt GUI of Keystone, Unicode, Capstone

Hugsy has created cemu, the Cheap EMUlator that shellcoders will enjoy:

Cheap EMUlator is a simple tool to combine together all the features of Keystone, Unicorn and Capstone engines in a Qt powered GUI. It allows to test binary samples, check your shellcodes or even simply learn how to write assembly code, all of this for the following architectures:

    x86-32 / x86-64
    Arm / AArch64
    MIPS / MIPS64
    (more to come)

    unicorn and its Python bindings, as the emulation engine
    keystone and its Python bindings, as the assembly engine
    capstone and its Python bindings, as the disassembly engine
    PyQt5 for the GUI
    pygments for the text colorization

Moar info:



Keystone Project announced

Nguyen Anh Quynh announced the Keystone Engine Project, with an IndieGogo funding campaign to help them:

We are very excited to announce our IndieGogo campaign for Keystone Engine, the next-gen assembler framework! After Capstone & Unicorn, Keystone is the latest of our on-going effort to bring better tools to the reverse-engineering community. Now with the final missing piece Keystone, we complete the magical trilogy of disassembler – emulator – assembler. Come support us, and help to spread the news, so together we can solve the lingering problem of missing the assembler framework once, and for all! The Keystone name came from some private conversation with Felix “FX” Lindner. Thanks for such a great inspiration, FX!



Unicorn Engine released

Unicorn is a lightweight, multi-platform, multi-architecture CPU emulator framework based on QEMU. Unicorn offers some unparalleled features:

* Multi-architecture: ARM, AMM64 (ARMv8), M68K, MIPS, SPARC, and X86 (16, 32, 64-bit)
* Clean/simple/lightweight/intuitive architecture-neutral API
* Implemented in pure C language, with bindings for Python, Java, and Go
* Native support for Windows & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed)
* High performance via Just-In-Time compilation
* Support for fine-grained instrumentation at various levels
* Thread-safety by design

Unicorn was announced at BlackHat this Summer, and the source for this open source project just got released. Looking forward to using this to debug firmware …but even though it is based on QEMU, I don’t see how to Unicorn to work with OVMF. If someone knows how, please post a Comment with info!