Unicorn – The Ultimate CPU Emulator
unicorn-engine.org65 points by tosh 7 hours ago
65 points by tosh 7 hours ago
For anyone who isn't familiar with Unicorn, it doesn't emulate any specific whole-system, it's a library/framework for emulation of just the CPU. You are responsible for hooking up the whole "rest of the world" to the emulated CPU, for whatever you might need. This includes things like emulating peripherals, syscalls, binary loading, etc.
You usually use it to build your own emulator or other analysis tool, often for reverse engineering.
Somewhat relatedly, is there something halfway between QEMU and Unicorn? That is, a full VM in a library, with debugging capabilities. I'd like to be able to configure a VM, save the execution at a specific point, modify memory, run, and stop when some condition is hit (e.g. a memory address is read, or executed). For years I've had this idea of running the Jamella editor in multiple threads to crack Diablo II item seeds.
I use Qiling [0] (built on top of Unicorn) sometimes for this kind of things (it can take application snapshots, that you can restore; and you can also use something similar to x86/x86-64 memory hardware breakpoints too). Might fit what you want, although it can sometimes be in a pain in the rear to set up...
Sweet, thanks. It doesn't seem to be exactly what I'm looking for, in that it simulates (replaces) the OS instead of hosting it, but it's still interesting.
Well, there's ptrace/gdb? (Since you mentioned Diablo II, you might want a windows debugger, but same idea)
I was just looking at Unicorn last week because it's used by unipacker to do automated unpacking of binaries. I built a "toolbox" for gpt-5.5 to do semi-automated malware and exploit reverse engineering and unipacker is sometimes useful for that purpose.
"Based on Qemu 5, we built Unicorn2 from scratch"
What?
Unicorn is more like a fork of Qemu than something that depends on it. So what they're saying here is, they reimplemented the Unicorn feature-set (which dramatically diverges from the Qemu feature-set) from scratch based on a newer Qemu branch.
uh.. what is a cpu emulator? or what can I do with it? I am kind of having hard time comprehend this.
Low-level debugging, older games (so many consoles have used everything from MIPS to PowerPC as CPUs), etc.
In the early 2000s, I used a linux-based emulator to virtualize some ancient manufacturing hardware control software that was still running on EOL and very expensive PA-RISC kit. It saved the company tens of thousands of dollars in new hardware, while also running faster (it involved early 1990s-era proprietary vector graphics as part of it was printing on the goods). The HP sales people were not amused and tried very hard to get my 22 year old self fired, but my manager convinced them to use it and the old hardware as a backup for awhile. Last I heard in 2011 it was still being used, though running in linux on VMware.
This comparison to qemu gives some idea: https://www.unicorn-engine.org/docs/beyond_qemu.html
The ability to execute and inspect some code without any context (no OS, not even a complete binary) is useful for reverse/security engineering.
An emulator is a computer program that executes the machine code of some system. For example, if your computer is x86, you can't natively run ARM machine code. But an emulator can.
QEMU is an emulator that can run entire operating systems, because it emulates hardware devices like hard drives and displays. Unicorn doesn't emulate any of those things, it only emulates the CPU. It's probably mostly useful for compiler development and security research / reverse engineering.
Well, say all you've got is an x86 device, but you want to develop for ARM. You can write and compile your code, push it to unicorn, and see how it runs.
Or you can use it as a sandbox serving x86 software on an x86 machine.
Or as a "virtual machine" serving say AOSP for ARM on a Windows x86 host.
There's a long list of projects using Unicorn at https://www.unicorn-engine.org/showcase/
> Based on Qemu 5, we built Unicorn2 from scratch, […] still maintaining backward compatibility with the current version, […] we also added 2 highly-demanded architectures in PowerPC & RISCV.
Qemu supports RV and PPC! And all of that is not what “from scratch” means!