Changing PC from within an UC_HOOK_CODE doesn't work

[hugoreinaldo]

Is there a way to change the program counter from within an UC_HOOK_CODE ? None of the following examples seem to work:

def hook_code(uc, address, size, userdata):
    uc.reg_write(arm_const.UC_ARM_REG_PC, 0x00)

def hook_code(uc, address, size, userdata):
    uc.mem_write(address+size, 0x00)

[lunixbochs]

Try stopping emulation and doing an emu_start() at the new address once the hook_code callback returns.

[aquynh]

Can you send a pull request to put your testcase under tests/regress/, so it is possible to test and confirm this issue? Thanks

[gaffe23]

There are test cases for this in tests/regress/callback-pc.py using both UC_HOOK_CODE and UC_HOOK_BLOCK.

[hugoreinaldo]

@lunixbochs I'm trying your solution as a workaround for the issue.

@gaffe23 The test case tests/regress/callback-pc.py covers this issue, however there is no assertion validating the PC change in this test.

[aquynh]

this issue was already discussed at #4

[gaffe23]

@hugoreinaldo Yep, I wrote that before we actually had a test suite. I'm about to submit a pull request to add assertions, just to make it clear that we'd like this to work at some point.

[farmdve]

@aquynh

Have you found a way to change EIP from hooked code? I've been studying Unicorn and the QEMU internals(thank god they are mostly stripped), it's difficult, there is lots of code, but I am making progress.

I do have some ideas, but they are incomplete.

[aquynh]

yes, a rough idea is to quit the current basic block immediately, flush the JIT translation cache, then tell the engine to change the EIP, so next time JIT will start from the new place.

that is the approach, but i dont have time to work on the implementation yet. this is a bit tricky to code. if you can, just go ahead doing it.

[aquynh]

you guys should send in a testcase about changing PC from the callback. i can fix that if i have time.

[farmdve]

I am feeling in the mood to try and tackle this.

So, you said you had something in mind, what is it? What I have in mind is, after setting EIP to a new location, we set the tcg_exit_req to true and some other variable to indicate we are not exiting, but merely changing eip. Then when the hook exits, check_exit_request is immediately called and sees we are requesting exit. Then once it is done, we find a suitable place and flush the translation blocks. Then when tb_find_fast is called it will start translating the new address.

That is for manually changing EIP. For emulating something like SEH, we need to have hooks for exceptions(all exceptions).

EDIT: I think we may need a special function for this. If we use uc_reg_write(UC_X86_REG_EIP) then how can we differentiate between setting EIP before calling uc_emu_start and doing the same from a hook?
EDIT2:With minimal changes I managed to implement changing EIP/PC from callback.

[aquynh]

yes in general the way to go when PC is modified from inside a callback (using uc_reg_write()) is:

• signal to quit the current BB immediately
• upon exit, flush a page in the JIT cache where the new PC belongs to
• let the execution continue

this is not really hard to implement, and i think you can do it :-)

[farmdve]

@aquynh

Experimentally, just for myself, I have. farmdve@bd2f111 this is my dev branch, wanted to test all features at once. Don't mind the indentation :D

[aquynh]

can you have a testcase for this new feature?

do you really want to flush all the cache? how about flushing only a related cache page (that contains the new PC)?

[aquynh]

this feature is now implemented for all architectures in the commit 5a04bcb.

check out https://github.com/unicorn-engine/unicorn/blob/master/tests/unit/test_pc_change.c to see how this works.

if you find any issues, please report.