PluginBench
Skill
Fail
Audit score 45

rev-unicorn-debug

p4nda0s/reverse-skills

How to install rev-unicorn-debug

npx skills add https://github.com/p4nda0s/reverse-skills --skill rev-unicorn-debug
Claude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)

Source of truth, from p4nda0s/reverse-skills.


name: rev-unicorn-debug description: Debug and emulate specific code fragments or functions using the Unicorn engine. Activate when the user wants to emulate a function with Unicorn, trace binary execution without running the full program, decrypt or decode data by emulating the algorithm, or bypass environment dependencies (JNI, syscalls, libc) during emulation.

rev-unicorn-debug - Unicorn Emulation Debugger

Debug and emulate specific code fragments or functions using the Unicorn engine. Analyze context dependencies (JNI, syscalls, library functions) and simulate them through hook mechanisms to complete the user's debugging goal.


Core Principles

  1. Load file raw first — do NOT parse ELF/PE/Mach-O headers. Read the file as raw bytes and map directly into Unicorn memory. We only need to emulate specific functions, not the entire binary. If raw loading fails (code references segments at specific addresses), then parse minimally — only map the segments needed.
  2. Identify context dependencies — analyze the target code for external calls (JNI, syscalls, libc, imports) and hook them to provide simulated responses.
  3. Use callbacks extensively — leverage Unicorn's hook system for debugging, tracing, error recovery, and environment simulation.
  4. Iterative fix — when emulation crashes, use the callback info to diagnose and fix (map missing memory, hook unhandled calls, fix register state).
  5. Minimal trace output — prefer block-level tracing over instruction-level. Only enable instruction trace on small targeted ranges. Use counters and summaries instead of per-step logging.

Environment Simulation Strategy

Before emulating, read the target function and identify what it calls. Hook external dependencies by address and simulate in Python:

CategoryExamplesSimulation Strategy
libcmalloc, free, memcpy, strlen, printfHook address, implement logic in Python (bump allocator for malloc)
JNIGetStringUTFChars, FindClass, GetMethodIDBuild fake JNIEnv function table in UC memory, write RET stubs at each entry, hook stub addresses
Syscallsread, write, mmap, ioctlHook UC_HOOK_INTR, dispatch by syscall number
C++ runtimeoperator new, __cxa_throwHook and simulate
Library callspthread_mutex_lock, dlopenHook and return success/stub

Hook pattern: Register a UC_HOOK_CODE callback. When PC hits a known import address, execute the Python simulation, then set PC = LR to skip the original function.


Callback Types to Use

CallbackPurpose
UC_HOOK_CODEIntercept import calls by address; instruction-level trace (use sparingly, narrow range only)
UC_HOOK_BLOCKBlock-level trace (preferred over instruction trace)
UC_HOOK_MEM_UNMAPPEDAuto-map missing pages to recover from unmapped access errors
UC_HOOK_MEM_READ | UC_HOOK_MEM_WRITETrace memory access on targeted data ranges only
UC_HOOK_INTRIntercept SVC/INT for syscall simulation

Iterative Debugging Workflow

When emulation fails, follow this loop:

  1. Run — start emulation, let it crash
  2. Read callback output — which address faulted? What type (read/write/fetch)?
  3. Diagnose:
    • Unmapped memory fetch → missing code page, map it
    • Unmapped memory read/write → missing data section or uninitialized pointer, map or hook
    • Hitting an import stub → identify the function, add a simulation hook
    • Infinite loop → add a code hook with execution counter, stop after threshold
  4. Fix — add the hook / map the memory / adjust registers
  5. Re-run — repeat until the target function completes

Architecture Quick Reference

ArchUc ConstModeSPLRArgsReturnSyscall
ARM64UC_ARCH_ARM64UC_MODE_LITTLE_ENDIANSPX30X0-X7X0X8 + SVC #0
ARM32UC_ARCH_ARMUC_MODE_THUMB / UC_MODE_ARMSPLRR0-R3R0R7 + SVC #0
x86-64UC_ARCH_X86UC_MODE_64RSP(stack)RDI,RSI,RDX,RCX,R8,R9RAXRAX + syscall
x86-32UC_ARCH_X86UC_MODE_32ESP(stack)(stack)EAXEAX + int 0x80
MIPS32UC_ARCH_MIPSUC_MODE_MIPS32 + UC_MODE_BIG_ENDIAN$sp$ra$a0-$a3$v0$v0 + syscall

Related skills

More from p4nda0s/reverse-skills and the wider catalog.

RE

rev-frida

p4nda0s/reverse-skills

Generate Frida hook scripts using modern Frida API. Activate when the user wants to write Frida scripts, hook functions at runtime, trace calls or arguments or return values, intercept native or ObjC or Java methods, dump memory or exports, or handle native module load timing for Android and other targets.

1.1k installs
RE

rev-struct

p4nda0s/reverse-skills

Reconstruct data structures by analyzing memory access patterns across functions

982 installsAudited
RE

rev-symbol

p4nda0s/reverse-skills

Restore function symbols by analyzing code patterns, strings, constants, and cross-references

976 installs
RE

rev-dex-dumper

p4nda0s/reverse-skills

Dump DEX files from a running Android app for unpacking/deobfuscation. Activate when the user wants to unpack an Android APK, dump DEX from memory, extract decrypted DEX files, or defeat class-loading packing.

940 installs
RE

rev-idapython

p4nda0s/reverse-skills

IDAPython and IDALib script reference for reverse engineering. Activate when the user needs to write IDAPython scripts in IDA, use IDALib for headless analysis, operate on IDB databases, debug with IDA, manipulate memory/registers, traverse functions/blocks/instructions, work with Hex-Rays decompiler API, handle obfuscation, or batch-process binaries.

927 installs
RE

rev-u3d-dump

p4nda0s/reverse-skills

Dump Unity IL2CPP symbols from iOS/Android builds. Extract method names, addresses, and type info from IL2CPP binaries and global-metadata.dat, then generate IDA/Ghidra import scripts.

881 installs