Writing register IP causes previous emu_stop useless

[wtdcode]

Code snippet.

from unicorn import *
from unicorn.arm64_const import UC_ARM64_REG_W0, UC_ARM64_REG_X0
from unicorn.x86_const import *
import time

def test():
    count = 0
    def cb(a, b, c, d):
        nonlocal count
        count += 1
        print(f"Count {count}")
        if count <= 10:
            # This one never works.
            mu.emu_stop()
            # This line cause previous emu_stop useless.
            mu.reg_write(UC_X86_REG_IP, 0x1000)
        else:
            mu.emu_stop()



    try:
        mu = Uc(UC_ARCH_X86, UC_MODE_16)
        address_to_load = 0x1000
        mu.mem_map(0x1000, 4 * 1024, UC_PROT_ALL)
        cmd =  b'\xb8\x00\x00\xeb\xfb' #  ks.asm("lb:\nmov ax, 0h\njmp lb\n", 0x1000)
        mu.reg_write(UC_X86_REG_IP, 0x1000)
        mu.reg_write(UC_X86_REG_CS, 0)
        mu.mem_write(address_to_load, cmd)
        mu.hook_add(UC_HOOK_CODE, cb)
        mu.emu_start(address_to_load, address_to_load + len(cmd))
    except UcError as e:
        print("ERROR: %s" % e)

if __name__ == '__main__':
    test()

Output on my machine:

Count 1
Count 2
Count 3
Count 4
Count 5
Count 6
Count 7
Count 8
Count 9
Count 10
Count 11

Some investigation shows that:

                    case UC_X86_REG_IP:
                        X86_CPU(uc, mycpu)->env.eip = *(uint16_t *)value;
                        // force to quit execution and flush TB
                        uc->quit_request = true;
                        uc_emu_stop(uc);
                        break;

uc->quit_request is set to true when writing to register ip.

And that resets uc->stop_request and thus makes previous emu_stop useless.

static bool tcg_exec_all(struct uc_struct* uc)
{
    int r;
    bool finish = false;
    while (!uc->exit_request) {
        CPUState *cpu = uc->cpu;
        CPUArchState *env = cpu->env_ptr;

        //qemu_clock_enable(QEMU_CLOCK_VIRTUAL,
        //                  (cpu->singlestep_enabled & SSTEP_NOTIMER) == 0);
        if (cpu_can_run(cpu)) {
            uc->quit_request = false;
            r = tcg_cpu_exec(uc, env);

            // quit current TB but continue emulating?
            if (uc->quit_request) {
                // reset stop_request
                uc->stop_request = false;
            } else if (uc->stop_request) {
                //printf(">>> got STOP request!!!\n");
                finish = true;
                break;
            }
    // omitted
    return finish;
}

[crass]

I believe I'm running in to this also. It would be nice to get a fix for this. Also I believe this is a duplicate of #1133.

[wtdcode]

Hi, This would be fixed in unicorn2. Link to #1217

…

________________________________ From: crass ***@***.***> Sent: Monday, August 16, 2021 1:40:41 PM To: unicorn-engine/unicorn ***@***.***> Cc: lazymio ***@***.***>; Author ***@***.***> Subject: Re: [unicorn-engine/unicorn] Writing register IP causes previous emu_stop useless (#1356) I believe I'm running in to this also. It would be nice to get a fix for this. Also I believe this is a duplicate of #1133<#1133>. ― You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#1356 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHJULO7DFJKMMKU5OMJWEDLT5CQFTANCNFSM4UELKNCA>.

[crass]

That appears to be vaporware at the moment. Based on your analysis, it seems like this could be a relatively easy fix. But, perhaps not?

[wtdcode]

Not necessarily, I have to test for various cases to determine whether it can be simply fixed by setting it to false or adding another if.

…

________________________________ From: crass ***@***.***> Sent: Monday, August 16, 2021 2:11:01 PM To: unicorn-engine/unicorn ***@***.***> Cc: lazymio ***@***.***>; Author ***@***.***> Subject: Re: [unicorn-engine/unicorn] Writing register IP causes previous emu_stop useless (#1356) That appears to be vaporware at the moment. Based on your analysis, it seems like this could be a relatively easy fix. But, perhaps not? ― You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#1356 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHJULO4F7BAIHR33DTYSHIDT5CTXLANCNFSM4UELKNCA>.

[crass]

I'm trying to reproduce this and testing the program above. It is stopping at Count 1. I've tested against master and 1.0.2-rc1, which was over a year before this issue was created. Do you remember what the git hash was of the version of unicorn you were using?

[wtdcode]

I'm trying to reproduce this and testing the program above. It is stopping at Count 1. I've tested against master and 1.0.2-rc1, which was over a year before this issue was created. Do you remember what the git hash was of the version of unicorn you were using?

I don't remember any fix is done for this issue. How do you produce it?

[crass]

I think you're right, that there is no fix, because I think I am reproducing it. However, its very complicated while analyzing a large binary using Qiling. Does your example above work for you?

[wtdcode]

Closed due to uc2 beta release.