Editing an instruction before being called doesn't do anything.

[KitMurdock]

I'm emulating some ARM code.

My program changes the next instruction in memory to a NOP. (mov r8,r8).
It displays the correct op codes - but it runs the old instruction.

Instruction
Address: 0x08001064 opcodes: c3 71 : strb r3, [r0, #7]
value of r3 is 0x000000ce

Next instruction - (modified to do nothing once the uc_emu_start is called)
Address: 0x08001066 opcode: c0 46 : mov r8, r8
Value of r3 is 0xe00000a0

r3 isn't touched - so it looks like it's using the old code.

I guess my question is this: should it work??

[wtdcode]

You have to clear translation cache via uc_ctl_remove_cache

[KitMurdock]

Thanks for the quick reply.
I've added the code below after making the memory change - but r3 is still being modified.

#define TB_COUNT (8)
#define TCG_MAX_INSNS (512) // from tcg.h
#define CODE_LEN TB_COUNT *TCG_MAX_INSNS

    for (int i = 0; i < TB_COUNT; i++) 
    {
        uc_ctl_remove_cache(
                uc, 
                code_start_address  + i * TCG_MAX_INSNS, 
                code_start_address  + i * TCG_MAX_INSNS + 1);
    }

[wtdcode]

You have to clear cache once you have rewrite the memory. However, such SMC code should be handled already before translation cache so if you could provide a minimal reproduction then I would have a look.

…

________________________________ From: Kit ***@***.***> Sent: Wednesday, March 2, 2022 6:03:29 PM To: unicorn-engine/unicorn ***@***.***> Cc: lazymio ***@***.***>; Comment ***@***.***> Subject: Re: [unicorn-engine/unicorn] Editing an instruction before being called doesn't do anything. (Issue #1561) Thanks for the quick reply. I've added the code below after making the memory change - but r3 is still being modified. #define TB_COUNT (8) #define TCG_MAX_INSNS (512) // from tcg.h #define CODE_LEN TB_COUNT *TCG_MAX_INSNS for (int i = 0; i < TB_COUNT; i++) { uc_ctl_remove_cache( uc, code_start_address + i * TCG_MAX_INSNS, code_start_address + i * TCG_MAX_INSNS + 1); } ― Reply to this email directly, view it on GitHub<#1561 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHJULO3ROSOSVKJU6PHJ2MLU56NODANCNFSM5PXEUD5A>. You are receiving this because you commented.Message ID: ***@***.***>

[KitMurdock]

#include <unicorn/unicorn.h>
#include <string.h>

#define ARM_CODE  "\x0b\x10\xa0\xe3\x16\x20\xa0\xe3\x01\x20\x82\xe0"
// mov r1, 0xb
// mov r2, 0x16  <-- going to replace this to do nothing
// add r2, r2, r1

#define ADDRESS 0x10000

void remove_cache(uc_engine *uc)
{
#define TB_COUNT (8)
#define TCG_MAX_INSNS (512) // from tcg.h
    printf ("removing cache\n");
    for (int i = 0; i < TB_COUNT; i++)
    {
        uc_ctl_remove_cache( uc,ADDRESS  + i * TCG_MAX_INSNS, ADDRESS  + i * TCG_MAX_INSNS + 1);
    }
}

static void hook_code_change_second_instruction_to_do_nothing(uc_engine *uc, uint64_t address, uint32_t size,
                      void *user_data)
{
#define NEW_ARM_CODE "\x08\x80\xa0\xe1"

    printf("\nChanging instruction at 0x10004 to do nothing\n");
    printf("Was:     mov r2, #22  [16 20 a0 e3]\n");
    printf("Becomes: mov r8, r8   [08 80 a0 e1]\n");

    uc_mem_write(uc,  0x10004 ,NEW_ARM_CODE, sizeof(NEW_ARM_CODE) - 1);
    remove_cache(uc);

}

static void hook_code(uc_engine *uc, uint64_t address, uint32_t size,
                      void *user_data)
{
    int r2;
    uc_reg_read(uc, UC_ARM_REG_R2, &r2);
    printf(">>> R2 = 0x%x\n\n", r2);

    printf("\n>>> Tracing instruction at 0x%" PRIx64
           ", instruction size = 0x%x\n",
           address, size);


    uint8_t* tmp;
    tmp=malloc(sizeof(uint8_t)*size);

    //Read the line of code (opcode)
    if (!uc_mem_read(uc, address, tmp, size))
    {
        for (int i=0;i<size;i++)
        {
            printf ("%02x ", tmp[i]);
        }
        printf("\n");
    }
}

static void test_arm(void)
{
    uc_engine *uc;
    uc_err err;
    uc_hook trace1, trace2;

    int r2 = 0xbeef; // R2 register

    printf("\n - Emulate ARM code - \n");

    // Initialize emulator in ARM mode
    err = uc_open(UC_ARCH_ARM, UC_MODE_ARM, &uc);
    if (err) {
        printf("Failed on uc_open() with error returned: %u (%s)\n", err,
               uc_strerror(err));
        return;
    }

    // map 2MB memory for this emulation
    uc_mem_map(uc, ADDRESS, 2 * 1024 * 1024, UC_PROT_ALL);

    // write machine code to be emulated to memory
    uc_mem_write(uc, ADDRESS, ARM_CODE, sizeof(ARM_CODE) - 1);

    // initialize machine registers
    uc_reg_write(uc, UC_ARM_REG_R2, &r2);

    uc_hook_add(uc, &trace2, UC_HOOK_CODE, hook_code_change_second_instruction_to_do_nothing, NULL, 0x10000,0x10000);
    // tracing one instruction at ADDRESS with customized callback
    uc_hook_add(uc, &trace1, UC_HOOK_CODE, hook_code, NULL, 1,0);
    // emulate machine code in infinite time (last param = 0), or when
    // finishing all the code.
    err = uc_emu_start(uc, ADDRESS, ADDRESS + sizeof(ARM_CODE) - 1, 0, 0);
    if (err) {
        printf("Failed on uc_emu_start() with error returned: %u\n", err);
    }

    // now print out some registers
    printf("\n>>> Emulation done. Below is the CPU context\n");
    printf(">>> R2 should NOT 0x21 \n");

    uc_reg_read(uc, UC_ARM_REG_R2, &r2);
    printf(">>> R2 = 0x%x\n", r2);

    uc_close(uc);
}



int main(int argc, char **argv, char **envp)
{
    test_arm();

    return 0;
}

[KitMurdock]

Thanks for offering to look at a minimal reproduction.

Once the emulation starts I'm trying to change an instruction to do nothing!

[KitMurdock]

@wtdcode do you have any suggestions? I would be very grateful!

[wtdcode]

@wtdcode do you have any suggestions? I would be very grateful!

Sorry at this moment I'm a bit busy. Spare me some time and I would have a look.

[wtdcode]

I see why it doesn't work. The uc_mem_write can't really invalidate the codepage as it writes to the physical address. The only workaround for now is that you change the code before execute OR
you modify the code by executing another code (like allocate a small page, write some shell code to modify the target code).

Another workaround:

1. hook the address before the instruction you would like to modify
2. modify the address in the hook
3. stop emulation in the hook
4. clear cache on the address of the target instruction (this ensures your modification works)
5. restart emulation where we just stopped

[KitMurdock]

I might have found another workaround.

1. Create a hook at the instruction you want to change
2. When the hook is called modify the instruction in memory
3. Set the PC to the same address
4. Delete the hook you are currently in.

This then seems to go back and execute the new code.

Is this working 'as expected' ?