Closed jt0dd closed 2 years ago
You are asking at the right time. See https://github.com/unicorn-engine/unicorn/issues/406
You are asking at the right time. See #406
I read through that and I didn't completely understand how it relates.
This issue is really breaking my project. Registers aren't tuples, they're bytes. I think it doesn't make sense for Unicorn to do any special formatting of the registers, let the developer convert to separate values if they want to. All the registers should read as bytes not tuples... Why is it happening? Someone please at least explain why the tuple represents so I know how to convert it back to bytes... Or even just link me the source code where it's happening, I'll figure it out.
Registers I found returning tuples:
UC_X86_REG_FP0 UC_X86_REG_FP1 UC_X86_REG_FP2 UC_X86_REG_FP3 UC_X86_REG_FP4 UC_X86_REG_FP5 UC_X86_REG_FP6 UC_X86_REG_FP7 UC_X86_REG_GDTR UC_X86_REG_IDTR UC_X86_REG_LDTR UC_X86_REG_TR
This issue is really breaking my project. Registers aren't tuples, they're bytes. I think it doesn't make sense for Unicorn to do any special formatting of the registers, let the developer convert to separate values if they want to. All the registers should read as bytes not tuples... Why is it happening? Someone please at least explain why the tuple represents so I know how to convert it back to bytes... Or even just link me the source code where it's happening, I'll figure it out.
Registers I found returning tuples:
UC_X86_REG_FP0 UC_X86_REG_FP1 UC_X86_REG_FP2 UC_X86_REG_FP3 UC_X86_REG_FP4 UC_X86_REG_FP5 UC_X86_REG_FP6 UC_X86_REG_FP7 UC_X86_REG_GDTR UC_X86_REG_IDTR UC_X86_REG_LDTR UC_X86_REG_TR
I understand your confusion (as I got this first time). It's hard to explain exactly why it's designed in this way, but you may find all special tuples here: https://github.com/unicorn-engine/unicorn/blob/3184d3fcdf239c77857faacf5670d5b2d64a69cd/bindings/python/unicorn/unicorn.py#L346
For a further explanation, the change was introduced here: https://github.com/unicorn-engine/unicorn/commit/e59382e030aa14e62ebd3fd867889fffb5d64a07 . I also don't have an idea why it is...
@wtdcode thanks, I didn't notice that code before. I'll put some thought into this. Would it be worth keeping the issue open to discussion to decide whether it makes sense to keep it this way, or potentially decide it might be better to normalize the registers? I suspect it has to do with ease-of-use for the (Unicorn) developer but, in my opinion, at the expense of (non-intuitive bindings for) the end-user of the framework. Perhaps others have differing opinions, which I would invite.
@cseagle I think it was your code that introduced this, or am I mistaken? Perhaps you would be the best to explain.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.
I noticed using the python binding for Unicorn, some of the registers are stored as tuples, for example:
At first I thought, well maybe these registers are flags and it's more efficient or perhaps just easier to work with if we store / manipulate them in pieces. So I looked into some of them to see if this guess made sense, particularly GDTR and LDTR:
So, in that section:
It goes on, and maybe I'm missing something but I don't see why these registers would benefit from being broken into pieces. So it seems like that theory is wrong.
So if not to make it easier to work with registers that hold multiple separate pieces of information, why are some of these stored as tuples?
In case it's unclear how I'm arriving at these values, here's my code, the values are read / assigned at
class CPUState
:I noticed the discrepancy because I was planning to track differences between register values through subtraction when I realized it throws an error:
Also sidenote, I noticed
UC_X86_REG_MSR
is a constant Unicorn exposes, but it's the onlyUC_x86_REG_
constant that if you try to callreg_read
on it, throws an error. https://github.com/unicorn-engine/unicorn/issues/1518