// test_i386_context_save
public static void TestContextSave()
{
var addr = 0x1000000UL;
var code = new byte[]
{
0x40, // INC eax
};
Console.WriteLine("===================================");
Console.WriteLine("Save/restore CPU context in opaque blob.");
using (var emulator = new X86Emulator(X86Mode.b32))
{
// Map 8KB of memory for emulation.
emulator.Memory.Map(addr, 8 * 1024, MemoryPermissions.All);
// Write machine code to emulate.
emulator.Memory.Write(addr, code, code.Length);
// Initialize registers.
emulator.Registers.EAX = 1;
// Emulate written machine code.
emulator.Start(addr, addr + (ulong)code.Length);
Console.WriteLine(">>> Emulation done. Below is the CPU context");
Console.WriteLine($">>> EAX = 0x{emulator.Registers.EAX.ToString("x2")}");
Console.WriteLine(">>> Saving CPU context");
using (var context = emulator.Context)
{
Console.WriteLine(">>> Running emulation for the second time");
// Emulate machine code again.
emulator.Start(addr, addr + (ulong)code.Length);
Console.WriteLine(">>> Emulation done. Below is the CPU context");
Console.WriteLine($">>> EAX = 0x{emulator.Registers.EAX.ToString("x2")}");
emulator.Context = context;
}
Console.WriteLine(">>> CPU context restored. Below is the CPU context");
Console.WriteLine($">>> EAX = 0x{emulator.Registers.EAX.ToString("x2")}");
}
}
// test_i386_invalid_mem_read
public static void TestInvalidMemoryRead()
{
var addr = 0x1000000UL;
var code = new byte[]
{
0x8B, 0x0D, 0xAA, 0xAA, 0xAA, 0xAA, // MOV ecx [0xaaaaaaaa]
0x41, // INC ecx
0x4A // DEC edx
};
Console.WriteLine("===================================");
Console.WriteLine("Emulate i386 code that read from invalid memory.");
using (var emulator = new X86Emulator(X86Mode.b32))
{
// Map 2MB of memory.
emulator.Memory.Map(addr, 2 * 1024 * 1024, MemoryPermissions.All);
// Write machine code to be emulated.
emulator.Memory.Write(addr, code, (uint)code.Length);
// Initialize registers.
emulator.Registers.ECX = 0x1234;
emulator.Registers.EDX = 0x7890;
// Trace all basic blocks.
emulator.Hooks.Block.Add(BlockHook, null);
// Trace all instructions.
emulator.Hooks.Code.Add(CodeHook, null);
try
{
// Start emulating the machine written machine code.
emulator.Start(addr, addr + (ulong)code.Length);
}
catch (UnicornException ex)
{
Debug.Assert(ex.ErrorCode == UnicornError.ReadUnmapped, "Unexpected error code in caught UnicornException.");
Console.WriteLine($"Failed to start emulator instance. -> {ex.Message}.");
}
Console.WriteLine(">>> Emulation done. Below is the CPU context");
Console.WriteLine($">>> ECX = 0x{emulator.Registers.ECX.ToString("x2")}");
Console.WriteLine($">>> EDX = 0x{emulator.Registers.EDX.ToString("x2")}");
}
}
private void Given_Win32Code(Action <X86Assembler> coder)
{
var asm = new X86Assembler(arch, Address.Ptr32(0x00100000), new List <ImageSymbol>());
coder(asm);
var program = asm.GetImage();
this.segmentMap = program.SegmentMap;
Given_Platform();
var win32 = new Win32Emulator(program.SegmentMap, platform, importReferences);
emu = (X86Emulator)arch.CreateEmulator(program.SegmentMap, win32);
emu.InstructionPointer = program.ImageMap.BaseAddress;
emu.WriteRegister(Registers.esp, (uint)program.ImageMap.BaseAddress.ToLinear() + 0x0FFC);
emu.ExceptionRaised += delegate { throw new Exception(); };
}
private void Given_Code(Action <X86Assembler> coder)
{
var asm = new X86Assembler(arch, Address.Ptr32(0x00100000), new List <EntryPoint>());
coder(asm);
var program = asm.GetImage();
this.image = program.Image;
Given_Platform();
var win32 = new Win32Emulator(image, platform, importReferences);
emu = new X86Emulator(arch, program.Image, win32);
emu.InstructionPointer = program.Image.BaseAddress;
emu.WriteRegister(Registers.esp, (uint)program.Image.BaseAddress.ToLinear() + 0x0FFC);
emu.ExceptionRaised += delegate { throw new Exception(); };
}
// test_i386_inout
public static void TestInOut()
{
var addr = 0x1000000UL;
var code = new byte[]
{
0x41, // INC ecx
0xE4, 0x3F, // IN AL 0x3F
0x4A, // DEC edx
0xE6, 0x46, // OUT 0x46 AL
0x43 // INC ebx
};
Console.WriteLine("===================================");
Console.WriteLine("Emulate i386 code with IN/OUT instructions.");
using (var emulator = new X86Emulator(X86Mode.b32))
{
// Map 2MB of memory.
emulator.Memory.Map(addr, 2 * 1024 * 1024, MemoryPermissions.All);
// Write machine code to be emulated.
emulator.Memory.Write(addr, code, (uint)code.Length);
// Initialize registers.
emulator.Registers.ECX = 0x1234;
emulator.Registers.EDX = 0x7890;
// Trace all basic blocks.
emulator.Hooks.Block.Add(BlockHook, null);
// Trace all instructions.
emulator.Hooks.Code.Add(CodeHook, null);
// Hook X86 IN instructions.
emulator.Hooks.Instruction.Add(HookIn, X86Instructions.IN, null);
// Hook X86 OUT instructions.
emulator.Hooks.Instruction.Add(HookOut, X86Instructions.OUT, null);
// Start emulating the machine written machine code.
emulator.Start(addr, addr + (ulong)code.Length);
Console.WriteLine(">>> Emulation done. Below is the CPU context");
Console.WriteLine($">>> ECX = 0x{emulator.Registers.ECX.ToString("x2")}");
Console.WriteLine($">>> EDX = 0x{emulator.Registers.EDX.ToString("x2")}");
}
}
private void emulatorToolStripMenuItem_Click(object sender, EventArgs e)
{
var sc = new ServiceContainer();
var fs = new FileStream(@"D:\dev\jkl\dec\halsten\decompiler_paq\upx\demo.exe", FileMode.Open);
var size = fs.Length;
var abImage = new byte[size];
fs.Read(abImage, 0, (int)size);
var exe = new ExeImageLoader(sc, "foolexe", abImage);
var peLdr = new PeImageLoader(sc, "foo.exe", abImage, exe.e_lfanew);
var addr = peLdr.PreferredBaseAddress;
var program = peLdr.Load(addr);
var rr = peLdr.Relocate(program, addr);
var win32 = new Win32Emulator(program.SegmentMap, program.Platform, program.ImportReferences);
var emu = new X86Emulator((IntelArchitecture)program.Architecture, program.SegmentMap, win32);
emu.InstructionPointer = rr.EntryPoints[0].Address;
emu.ExceptionRaised += delegate { throw new Exception(); };
emu.WriteRegister(Registers.esp, (uint)peLdr.PreferredBaseAddress.ToLinear() + 0x0FFC);
emu.Start();
}
// test_i386
public static void Test()
{
ulong addr = 0x1000000;
ulong esp = addr + 0x200000;
byte[] code =
{
0xeb, 0x1c, 0x5a, 0x89, 0xd6, 0x8b, 0x02, 0x66, 0x3d,
0xca, 0x7d, 0x75, 0x06, 0x66, 0x05, 0x03, 0x03, 0x89,
0x02, 0xfe, 0xc2, 0x3d, 0x41, 0x41, 0x41, 0x41, 0x75,
0xe9, 0xff, 0xe6, 0xe8, 0xdf, 0xff, 0xff, 0xff, 0x31,
0xd2, 0x6a, 0x0b, 0x58, 0x99, 0x52, 0x68, 0x2f, 0x2f,
0x73, 0x68, 0x68, 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3,
0x52, 0x53, 0x89, 0xe1, 0xca, 0x7d, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41
};
Console.WriteLine("Emulate i386 code");
using (var emulator = new X86Emulator(X86Mode.b32))
{
emulator.Memory.Map(addr, 2 * 1024 * 1024, MemoryPermissions.All);
emulator.Memory.Write(addr, code, code.Length);
emulator.Registers.ESP = (long)esp;
emulator.Hooks.Code.Add(HookCode, null);
emulator.Hooks.Interrupt.Add(HookInterrupt, null);
Console.WriteLine();
Console.WriteLine(">>> Start tracing this Linux code");
emulator.Start(addr, addr + (ulong)code.Length);
Console.WriteLine();
Console.WriteLine(">>> Emulation done.");
}
}
public override Program Load(Address addrLoad)
{
// First load the file as a PE Executable. This gives us a (writeable) image and
// the packed entry point.
var pe = CreatePeImageLoader();
var program = pe.Load(pe.PreferredBaseAddress);
var rr = pe.Relocate(pe.PreferredBaseAddress);
this.Image = program.Image;
this.ImageMap = program.ImageMap;
this.Architecture = (IntelArchitecture)program.Architecture;
var win32 = new Win32Emulator(program.Image, program.Platform, program.ImportReferences);
var state = (X86State)program.Architecture.CreateProcessorState();
var emu = new X86Emulator((IntelArchitecture)program.Architecture, program.Image, win32);
this.debugger = new Debugger(emu);
this.scriptInterpreter = new OllyLang();
this.scriptInterpreter.Host = new Host(this);
this.scriptInterpreter.Debugger = this.debugger;
emu.InstructionPointer = rr.EntryPoints[0].Address;
emu.WriteRegister(Registers.esp, (uint)Image.BaseAddress.ToLinear() + 0x1000 - 4u);
emu.BeforeStart += emu_BeforeStart;
emu.ExceptionRaised += emu_ExceptionRaised;
// Load the script.
LoadScript(Argument, scriptInterpreter.script);
emu.Start();
foreach (var ic in win32.InterceptedCalls)
{
program.InterceptedCalls.Add(Address.Ptr32(ic.Key), ic.Value);
}
return(program);
}
public Debugger(X86Emulator emu)
{
this.emu = emu;
}
