uEmu: tiny cute emulator plugin for IDA based on unicorn engine

uEmu

uEmu is a tiny cute emulator plugin for IDA based on unicorn engine.

Supports following architectures out of the box: x86, x64, ARM, ARM64, MIPS, MIPS64

What is it GOOD for?

• Emulate bare-metal code (bootloaders, embedded firmware, etc)
• Emulate standalone functions

What is it BAD for?

• Emulate complex OS code (dynamic libraries, processes, etc)
• Emulate code with many syscalls

What can be improved?

• Find a way to emulate vendor-specific register access (like MSR S3_x, X0 for ARM64)
• Add more registers to track

Features

Popup Menu

 

• Start command initializes emulator by mapping all segments and setting up Unicorn
• Run command emulates instructions until a breakpoint is reached or an error occurs
• Step emulates one or N instruction (hold ALT/OPTION to specify a number)
• Stop interrupts emulation
• Reset resets emulation engine and unmaps all memory regions
• Jump To PC simply jumps to the current PC
• It is possible to Update CPU Context manually or via JSON file (see below)
• Show Controls displays window with Start/Run/Step/Stop buttons
• Show CPU Context displays window with available registers
• Show CPU Extended Context displays a window with extended registers (FP/SIMD)
• Show Stack displays a window with the current Stack
• Show Memory Range allows displaying specific memory region

Start

Start emulation from the cursor. It is necessary to provide the initial CPU context first (see Update CPU Context) After that all segments from the IDA database will be mapped to the emulator (initialized data will be copied as well).

Run

Execute code until code or memory breakpoint is reached or there is an event that requires user action.

Step

Perform a single-step execution. Hold ALT/OPTION to specify the number of steps to perform.

 

Stop

When emulation is in progress this command can be used to interrupt execution.

Reset

Resets emulator instance and unmaps all memory regions.

Breakpoints

You can use IDA breakpoints to indicate locations where emulation should be interrupted. This includes code and memory breakpoints. Usually used together with Run command.

Runtime actions

Unmapped memory

When the emulator needs to access memory that is not yet mapped, the plugin will show the following dialog.

 

• Press YES to provide a memory dump to be loaded to memory.

 

• Press NO to map one empty page (0x1000) filled with zeroes
• Press Cancel to stop emulation

Unknown instructions

When the emulator runs into unknown instruction it is possible to skip it and restore CPU context manually.

 

Views

Controls

Just a panel to control execution.

 

CPU Context

Current CPU context.

 

Every time emulation stops, changed registers will be highlighted. Registers can be displayed in 1, 2, or 3 columns via the popup menu.

It is possible to update CPU context via the popup menu (see below).

CPU Extended Context

Current CPU Extended context.

 

Every time emulation stops, changed registers will be highlighted. Registers can be displayed in 1, 2, or 3 columns via the popup menu.

It is possible to update CPU context via the popup menu (see below).

Memory

Use this view to observe memory regions for specified address and size. A comment will be displayed in a title for convenience.

 

Every time emulation stops, changed memory blocks will be highlighted.

 

Update CPU Context

Register Values can be changed individually or all at once with JSON file via popup menu. The current context can also be saved in a JSON file for future use.

 

 

Main Plugin Menu

Apart from all the functions listed in Popup Menu, there are a couple of new commands.

 

Show Mapped Memory

Display all mapped regions. Use the popup menu to display memory for a particular region or dump it to a file.

 

Fetch Segments

This command tries to sync IDA segments with mapped memory by creating new mappings or merging with existing ones if possible. This helps to add new IDA segments to the emulator in runtime without restarting the emulator.

Load Project

Load uEmu state from a file.

Save Project

Save uEmu state to file. Please note that only registers defined in a plugin are saved.

Settings

• Follow PC scrolls IDA View to current PC during emulation
• Convert to Code automatically is IDA data under the cursor is not code
• Trace instructions prints every instruction emulator is executing
• Lazy mapping adds pages on demand instead of mapping all existing regions at the start

 

Install