# unicorn emulation from memory snapshot [repository link](https://github.com/rota1001/snapcorn) ## Dependencies ### rust ```shell $ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh ``` ### unicorn ```shell $ wget https://github.com/unicorn-engine/unicorn/archive/refs/tags/2.1.3.zip $ unzip 2.1.4.zip $ cd unicorn-2.1.4/ $ mkdir build $ cd build $ cmake .. $ make -j `nproc` $ sudo make install ``` ### udbserver The upstream version doesn't support the newest unicorn-engin version at this moment, so I use my own fork. ```shell $ wget https://github.com/rota1001/udbserver/archive/refs/heads/fix-dependency.zip $ unzip fix-dependency.zip $ cd udbserver-fix-dependency/ $ cargo install cargo-c $ cargo cinstall --release --prefix=/usr --destdir build $ sudo cp -dr build/* / ``` ### capstone ```shell $ sudo apt-get install libcapstone-dev ``` ## Usage I use a simple elf `build/example` as an example, you can input your name and it will say hello to you. ### Load ELF file with snapcorn Use the following command, it will take a snapshot when hitting the entry point and start emulating it in unicorn. ```shell ./snapcorn build/example ``` In this example, you will see this: ``` ... [+] Getting FPU/MMX/SSE Registers (ST, XMM)... [+] Getting AVX/AVX-512 Registers (YMM, ZMM, K)... [+] Start Emulating =========================================== ``` And you can enter your name, it will say hello to you: ``` aaa Hello, aaa =========================================== [+] DONE ``` ### Take snapshot by pid You can first execute your program, use `ps aux` to find the pid of that process (for example 12345), and attach to it with `-p` option: ```shell ./snapcorn -p 12345 ``` ### Export the context to file For the above to snapshot method, you can both output the context to file with `-o` option: ```shell ./snapcorn -p 12345 -o out ``` ### Import the context from file You can use `-l` to load the context from the exported file and start the simulation: ```shell ./snapcorn -l out ``` ### GDB server You can use `-gdb` to start a gdb server at a specific port (for example 1234): ```shell ./snapcorn -l out -gdb 1234 ```