unicorn入门及强网杯unicorn_like_a_pro复现

本文最后更新于:2021年8月23日 下午

unicorn简介及安装

简介

1
2
3
4
5
6
7
8
Unicorn 是一个基于QEMU的轻量级、多平台、多架构的 CPU 模拟器框架。我们可以更好地关注CPU操作, 忽略机器设备的差异. 想象一下, 我们可以将其应用于这些情景: 比如我们单纯只是需要模拟代码的执行而非需要一个真的CPU去完成那些操作, 又或者想要更安全地分析恶意代码, 检测病毒特征, 或者想要在逆向过程中验证某些代码的含义. 使用CPU模拟器可以很好地帮助我们提供便捷。
Unicorn 提供了一些非常NB的功能:
	多架构:ARM、ARM64 (ARMv8)、M68K、MIPS、SPARC 和 X86(163264 位)
	干净/简单/轻量级/直观的架构中立 API
	用纯 C 语言实现,绑定了 Crystal、Clojure、Visual Basic、Perl、Rust、Ruby、Python、Java、.NET、		Go、Delphi/Free 		Pascal、Haskell、Pharo 和 Lua。
	原生支持Windows 和 *nix(已确认 Mac OSX、Linux、*BSD 和 Solaris)
	高性能JIT即时编译
更多信息请访问http://www.unicorn-engine.org

应用

  • 调用恶意函数时,不需要开启一个有害进程
  • 在CTF竞赛中难度比较大的题目
  • 模糊测试
  • 用于gdb插件, 基于代码模拟执行的插件
  • 模拟执行一些混淆代码

安装

这里以最简单的python模块安装为例:

1
pip/pip3 install unicorn

Python3即可安装成功,其他平台编译安装网上有很多教程。

也可下载源码进行编译。

unicorn使用指南

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#简单模拟寄存器的值加减
from __future__ import print_function
from unicorn import *
from unicorn.x86_const import *

#被模拟的代码
X86_CODE32 = b"\x41\x4a" # INC ecx; DEC edx

# 模拟器开始的内存地址
ADDRESS = 0x1000000

print("Emulate i386 code")
try:
    #初始化模拟器为x86_32
    mu = Uc(UC_ARCH_X86, UC_MODE_32)

    #为这个模拟器分配2M内存
    mu.mem_map(ADDRESS, 2 * 1024 * 1024)

    #将机器码写入内存
    mu.mem_write(ADDRESS, X86_CODE32)

    #初始化模拟器的寄存器
    mu.reg_write(UC_X86_REG_ECX, 0x1234)
    mu.reg_write(UC_X86_REG_EDX, 0x7890)

    #模拟代码执行(emu_start有四个参数,后两个参数是模拟执行的时间和需要执行的指令数目,这里后两个参数为空,则以无限时间和无限指令模拟执行)
    mu.emu_start(ADDRESS, ADDRESS + len(X86_CODE32))

    #输出寄存器的值
    print("Emulation done. Below is the CPU context")

    r_ecx = mu.reg_read(UC_X86_REG_ECX)
    r_edx = mu.reg_read(UC_X86_REG_EDX)
    print(">>> ECX = 0x%x" %r_ecx)
    print(">>> EDX = 0x%x" %r_edx)

except UcError as e:
    print("ERROR: %s" % e)

常用API:

1
2
3
4
5
6
7
8
Uc(arch, mode) 初始化模拟器,相应的参数指定架构
mem_map(address, size) 分配内存
mem_write(addreee, code) 写入内存
mem_read(address, size) 从内存中读取数据。
reg_write(reg, value) 写入寄存器
emu_start(address_start, address_end, timeout=0, count=0) #模拟执行
reg_read(reg) 读取寄存器的值
hook_add() 特定情况下进行函数回调

强网杯unicorn_like_a_pro复现

符号还原

本题使用了unicorn框架模拟执行一段代码,IDA加载发现没有符号,我们学习并使用bindiff还原符号表。

bindiff下载地址:https://www.zynamics.com/software.html

安装好之后,将ida插件拷贝到ida的plugins目录

image-20210729113354364

然后我们准备需要bindiff的文件,一个是我们本题的题目文件,另一个是编译好的unicorn文件libunicorn.so.1。

在进行bindiff之前,要拿到两个文件的ida pack文件。

image-20210729120600585

然后导入符号表:

image-20210729121403431

设置阀值为0.7,可根据自身情况修改。

image-20210729132229194

API解析

uc_open函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
uc_err uc_open(uc_arch arch, uc_mode mode, uc_engine **uc);
创建新的Unicorn实例
	@arch:架构类型(UC_ARCH_*)
	@mode:硬件模式。 这是结合 UC_MODE_*
	@uc:指向uc_engine的指针,返回时会更新
	@return UC_ERR_OK 成功,或其他值失败(参考 uc_err 枚举详细错误)。

uc_arch
架构选择
typedef enum uc_arch {
    UC_ARCH_ARM = 1,    // ARM 架构 (包括 Thumb, Thumb-2)
    UC_ARCH_ARM64,      // ARM-64, 也称 AArch64
    UC_ARCH_MIPS,       // Mips 架构
    UC_ARCH_X86,        // X86 架构 (包括 x86 & x86-64)
    UC_ARCH_PPC,        // PowerPC 架构 (暂不支持)
    UC_ARCH_SPARC,      // Sparc 架构
    UC_ARCH_M68K,       // M68K 架构
    UC_ARCH_MAX,
} uc_arch;

uc_mode
模式选择
typedef enum uc_mode {
    UC_MODE_LITTLE_ENDIAN = 0,    // 小端序模式 (默认)
    UC_MODE_BIG_ENDIAN = 1 << 30, // 大端序模式

    // arm / arm64
    UC_MODE_ARM = 0,              // ARM 模式
    UC_MODE_THUMB = 1 << 4,       // THUMB 模式 (包括 Thumb-2)
    UC_MODE_MCLASS = 1 << 5,      // ARM's Cortex-M 系列 (暂不支持)
    UC_MODE_V8 = 1 << 6,          // ARMv8 A32 encodings for ARM (暂不支持)

    // arm (32bit) cpu 类型
    UC_MODE_ARM926 = 1 << 7,	  // ARM926 CPU 类型
    UC_MODE_ARM946 = 1 << 8,	  // ARM946 CPU 类型
    UC_MODE_ARM1176 = 1 << 9,	  // ARM1176 CPU 类型

    // mips
    UC_MODE_MICRO = 1 << 4,       // MicroMips 模式 (暂不支持)
    UC_MODE_MIPS3 = 1 << 5,       // Mips III ISA (暂不支持)
    UC_MODE_MIPS32R6 = 1 << 6,    // Mips32r6 ISA (暂不支持)
    UC_MODE_MIPS32 = 1 << 2,      // Mips32 ISA
    UC_MODE_MIPS64 = 1 << 3,      // Mips64 ISA

    // x86 / x64
    UC_MODE_16 = 1 << 1,          // 16-bit 模式
    UC_MODE_32 = 1 << 2,          // 32-bit 模式
    UC_MODE_64 = 1 << 3,          // 64-bit 模式

    // ppc 
    UC_MODE_PPC32 = 1 << 2,       // 32-bit 模式 (暂不支持)
    UC_MODE_PPC64 = 1 << 3,       // 64-bit 模式 (暂不支持)
    UC_MODE_QPX = 1 << 4,         // Quad Processing eXtensions 模式 (暂不支持)

    // sparc
    UC_MODE_SPARC32 = 1 << 2,     // 32-bit 模式
    UC_MODE_SPARC64 = 1 << 3,     // 64-bit 模式
    UC_MODE_V9 = 1 << 4,          // SparcV9 模式 (暂不支持)

    // m68k
} uc_mode;

uc_mem_map函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
uc_err uc_mem_map(uc_engine *uc, uint64_t address, size_t size, uint32_t perms);
映射内存
  @uc: uc_open() 返回的句柄
  @address:要映射到的新内存区域的起始地址。
     该地址必须与 4KB 对齐,否则将返回 UC_ERR_ARG 错误。
  @size:要映射到的新内存区域的大小。
     此大小必须是 4KB 的倍数,否则将返回 UC_ERR_ARG 错误。
  @perms:新映射区域的权限。
     这必须是 UC_PROT_READ | 的某种组合。 UC_PROT_WRITE | UC_PROT_EXEC,
			否则这将返回 UC_ERR_ARG 错误。
  @return UC_ERR_OK 成功,或其他值失败(参考 uc_err 枚举详细错误)。
uc_mem_map(uc, 0x1000LL, 0x2000LL, 7LL); 
//从0x1000开始分配具有所有权限的0x2000大小的内存

uc_prot
新映射区域的权限
typedef enum uc_prot {
   UC_PROT_NONE = 0,    //无
   UC_PROT_READ = 1,    //读取
   UC_PROT_WRITE = 2,   //写入
   UC_PROT_EXEC = 4,    //可执行
   UC_PROT_ALL = 7,     //所有权限
} uc_prot;

uc_mem_write

1
2
3
4
5
6
7
8
9
10
uc_err uc_mem_write(uc_engine *uc, uint64_t address, const void *bytes, size_t size);
写入内存。
  @uc: uc_open() 返回的句柄
  @address:要设置的字节的起始内存地址。
  @bytes:指向包含要写入内存的数据的变量的指针。
  @size:要写入的内存大小。
  注意:@bytes 必须足够大以包含 @size 字节。
  @return UC_ERR_OK 成功,或其他值失败(参考 uc_err 枚举详细错误)
uc_mem_write(uc, 0x1000LL, &code, 0x1027LL);
//将code处的数据从0x1000开始写入

uc_hook_add

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
uc_err uc_hook_add(uc_engine *uc, uc_hook *hh, int type, void *callback,
        void *user_data, uint64_t begin, uint64_t end, ...);

注册hook事件的回调,当hook事件被触发将会进行回调。
 @uc: uc_open() 返回的句柄
 @hh: 注册hook得到的句柄. uc_hook_del() 中使用
 @type: hook 类型
 @callback: 当指令被命中时要运行的回调
 @user_data: 用户自定义数据. 将被传递给回调函数的最后一个参数 @user_data
 @begin: 回调生效区域的起始地址(包括)
 @end: 回调生效区域的结束地址(包括)
   注意 1: 只有回调的地址在[@begin, @end]中才会调用回调
   注意 2: 如果 @begin > @end, 每当触发此hook类型时都会调用回调
 @...: 变量参数 (取决于 @type)
   注意: 如果 @type = UC_HOOK_INSN, 这里是指令ID (如: UC_X86_INS_OUT)

 @return 成功则返回UC_ERR_OK , 否则返回 uc_err 枚举的其他错误类型

uc_hook_type
uc_hook_add()的所有hook类型参数
typedef enum uc_hook_type {
    // Hook 所有中断/syscall 事件
    UC_HOOK_INTR = 1 << 0,
    // Hook 一条特定的指令 - 只支持非常小的指令子集
    UC_HOOK_INSN = 1 << 1,
    // Hook 一段代码
    UC_HOOK_CODE = 1 << 2,
    // Hook 基本块
    UC_HOOK_BLOCK = 1 << 3,
    // 用于在未映射的内存上读取内存的Hook
    UC_HOOK_MEM_READ_UNMAPPED = 1 << 4,
    // Hook 无效的内存写事件
    UC_HOOK_MEM_WRITE_UNMAPPED = 1 << 5,
    // Hook 执行事件的无效内存
    UC_HOOK_MEM_FETCH_UNMAPPED = 1 << 6,
    // Hook 读保护的内存
    UC_HOOK_MEM_READ_PROT = 1 << 7,
    // Hook 写保护的内存
    UC_HOOK_MEM_WRITE_PROT = 1 << 8,
    // Hook 不可执行内存上的内存
    UC_HOOK_MEM_FETCH_PROT = 1 << 9,
    // Hook 内存读取事件
    UC_HOOK_MEM_READ = 1 << 10,
    // Hook 内存写入事件
    UC_HOOK_MEM_WRITE = 1 << 11,
    // Hook 内存获取执行事件
    UC_HOOK_MEM_FETCH = 1 << 12,
    // Hook 内存读取事件,只允许能成功访问的地址
    // 成功读取后将触发回调
    UC_HOOK_MEM_READ_AFTER = 1 << 13,
    // Hook 无效指令异常
    UC_HOOK_INSN_INVALID = 1 << 14,
} uc_hook_type;

//> X86 instructions
typedef enum uc_x86_insn {
0	    UC_X86_INS_INVALID = 0,
1	    UC_X86_INS_AAA,
2	    UC_X86_INS_AAD,
3	    UC_X86_INS_AAM,
4	    UC_X86_INS_AAS,
5	    UC_X86_INS_FABS,
6	    UC_X86_INS_ADC,
7	    UC_X86_INS_ADCX,
8	    UC_X86_INS_ADD,
9	    UC_X86_INS_ADDPD,
10	    UC_X86_INS_ADDPS,
11	    UC_X86_INS_ADDSD,
12	    UC_X86_INS_ADDSS,
13	    UC_X86_INS_ADDSUBPD,
14	    UC_X86_INS_ADDSUBPS,
15	    UC_X86_INS_FADD,
16	    UC_X86_INS_FIADD,
17	    UC_X86_INS_FADDP,
18	    UC_X86_INS_ADOX,
19	    UC_X86_INS_AESDECLAST,
20	    UC_X86_INS_AESDEC,
21	    UC_X86_INS_AESENCLAST,
22	    UC_X86_INS_AESENC,
23	    UC_X86_INS_AESIMC,
24	    UC_X86_INS_AESKEYGENASSIST,
25	    UC_X86_INS_AND,
26	    UC_X86_INS_ANDN,
27	    UC_X86_INS_ANDNPD,
28	    UC_X86_INS_ANDNPS,
29	    UC_X86_INS_ANDPD,
30	    UC_X86_INS_ANDPS,
31	    UC_X86_INS_ARPL,
32	    UC_X86_INS_BEXTR,
33	    UC_X86_INS_BLCFILL,
34	    UC_X86_INS_BLCI,
35	    UC_X86_INS_BLCIC,
36	    UC_X86_INS_BLCMSK,
37	    UC_X86_INS_BLCS,
38	    UC_X86_INS_BLENDPD,
39	    UC_X86_INS_BLENDPS,
40	    UC_X86_INS_BLENDVPD,
41	    UC_X86_INS_BLENDVPS,
42	    UC_X86_INS_BLSFILL,
43	    UC_X86_INS_BLSI,
44	    UC_X86_INS_BLSIC,
45	    UC_X86_INS_BLSMSK,
46	    UC_X86_INS_BLSR,
47	    UC_X86_INS_BOUND,
48	    UC_X86_INS_BSF,
49	    UC_X86_INS_BSR,
50	    UC_X86_INS_BSWAP,
51	    UC_X86_INS_BT,
52	    UC_X86_INS_BTC,
53	    UC_X86_INS_BTR,
54	    UC_X86_INS_BTS,
55	    UC_X86_INS_BZHI,
56	    UC_X86_INS_CALL,
57	    UC_X86_INS_CBW,
58	    UC_X86_INS_CDQ,
59	    UC_X86_INS_CDQE,
60	    UC_X86_INS_FCHS,
61	    UC_X86_INS_CLAC,
62	    UC_X86_INS_CLC,
63	    UC_X86_INS_CLD,
64	    UC_X86_INS_CLFLUSH,
65	    UC_X86_INS_CLFLUSHOPT,
66	    UC_X86_INS_CLGI,
67	    UC_X86_INS_CLI,
68	    UC_X86_INS_CLTS,
69	    UC_X86_INS_CLWB,
70	    UC_X86_INS_CMC,
71	    UC_X86_INS_CMOVA,
72	    UC_X86_INS_CMOVAE,
73	    UC_X86_INS_CMOVB,
74	    UC_X86_INS_CMOVBE,
75	    UC_X86_INS_FCMOVBE,
76	    UC_X86_INS_FCMOVB,
77	    UC_X86_INS_CMOVE,
78	    UC_X86_INS_FCMOVE,
79	    UC_X86_INS_CMOVG,
80	    UC_X86_INS_CMOVGE,
81	    UC_X86_INS_CMOVL,
82	    UC_X86_INS_CMOVLE,
83	    UC_X86_INS_FCMOVNBE,
84	    UC_X86_INS_FCMOVNB,
85	    UC_X86_INS_CMOVNE,
86	    UC_X86_INS_FCMOVNE,
87	    UC_X86_INS_CMOVNO,
88	    UC_X86_INS_CMOVNP,
89	    UC_X86_INS_FCMOVNU,
90	    UC_X86_INS_CMOVNS,
91	    UC_X86_INS_CMOVO,
92	    UC_X86_INS_CMOVP,
93	    UC_X86_INS_FCMOVU,
94	    UC_X86_INS_CMOVS,
95	    UC_X86_INS_CMP,
96	    UC_X86_INS_CMPPD,
97	    UC_X86_INS_CMPPS,
98	    UC_X86_INS_CMPSB,
99	    UC_X86_INS_CMPSD,
100	    UC_X86_INS_CMPSQ,
101	    UC_X86_INS_CMPSS,
102	    UC_X86_INS_CMPSW,
103	    UC_X86_INS_CMPXCHG16B,
104	    UC_X86_INS_CMPXCHG,
105	    UC_X86_INS_CMPXCHG8B,
106	    UC_X86_INS_COMISD,
107	    UC_X86_INS_COMISS,
108	    UC_X86_INS_FCOMP,
109	    UC_X86_INS_FCOMPI,
110	    UC_X86_INS_FCOMI,
111	    UC_X86_INS_FCOM,
112	    UC_X86_INS_FCOS,
113	    UC_X86_INS_CPUID,
114	    UC_X86_INS_CQO,
115	    UC_X86_INS_CRC32,
116	    UC_X86_INS_CVTDQ2PD,
117	    UC_X86_INS_CVTDQ2PS,
118	    UC_X86_INS_CVTPD2DQ,
119	    UC_X86_INS_CVTPD2PS,
120	    UC_X86_INS_CVTPS2DQ,
121	    UC_X86_INS_CVTPS2PD,
122	    UC_X86_INS_CVTSD2SI,
123	    UC_X86_INS_CVTSD2SS,
124	    UC_X86_INS_CVTSI2SD,
125	    UC_X86_INS_CVTSI2SS,
126	    UC_X86_INS_CVTSS2SD,
127	    UC_X86_INS_CVTSS2SI,
128	    UC_X86_INS_CVTTPD2DQ,
129	    UC_X86_INS_CVTTPS2DQ,
130	    UC_X86_INS_CVTTSD2SI,
131	    UC_X86_INS_CVTTSS2SI,
132	    UC_X86_INS_CWD,
133	    UC_X86_INS_CWDE,
134	    UC_X86_INS_DAA,
135	    UC_X86_INS_DAS,
136	    UC_X86_INS_DATA16,
137	    UC_X86_INS_DEC,
138	    UC_X86_INS_DIV,
139	    UC_X86_INS_DIVPD,
140	    UC_X86_INS_DIVPS,
141	    UC_X86_INS_FDIVR,
142	    UC_X86_INS_FIDIVR,
143	    UC_X86_INS_FDIVRP,
144	    UC_X86_INS_DIVSD,
145	    UC_X86_INS_DIVSS,
146	    UC_X86_INS_FDIV,
147	    UC_X86_INS_FIDIV,
148	    UC_X86_INS_FDIVP,
149	    UC_X86_INS_DPPD,
150	    UC_X86_INS_DPPS,
151	    UC_X86_INS_RET,
152	    UC_X86_INS_ENCLS,
153	    UC_X86_INS_ENCLU,
154	    UC_X86_INS_ENTER,
155	    UC_X86_INS_EXTRACTPS,
156	    UC_X86_INS_EXTRQ,
157	    UC_X86_INS_F2XM1,
158	    UC_X86_INS_LCALL,
159	    UC_X86_INS_LJMP,
160	    UC_X86_INS_FBLD,
161	    UC_X86_INS_FBSTP,
162	    UC_X86_INS_FCOMPP,
163	    UC_X86_INS_FDECSTP,
164	    UC_X86_INS_FEMMS,
165	    UC_X86_INS_FFREE,
166	    UC_X86_INS_FICOM,
167	    UC_X86_INS_FICOMP,
168	    UC_X86_INS_FINCSTP,
169	    UC_X86_INS_FLDCW,
170	    UC_X86_INS_FLDENV,
171	    UC_X86_INS_FLDL2E,
172	    UC_X86_INS_FLDL2T,
173	    UC_X86_INS_FLDLG2,
174	    UC_X86_INS_FLDLN2,
175	    UC_X86_INS_FLDPI,
176	    UC_X86_INS_FNCLEX,
177	    UC_X86_INS_FNINIT,
178	    UC_X86_INS_FNOP,
179	    UC_X86_INS_FNSTCW,
180	    UC_X86_INS_FNSTSW,
181	    UC_X86_INS_FPATAN,
182	    UC_X86_INS_FPREM,
183	    UC_X86_INS_FPREM1,
184	    UC_X86_INS_FPTAN,
185	    UC_X86_INS_FFREEP,
186	    UC_X86_INS_FRNDINT,
187	    UC_X86_INS_FRSTOR,
188	    UC_X86_INS_FNSAVE,
189	    UC_X86_INS_FSCALE,
190	    UC_X86_INS_FSETPM,
191	    UC_X86_INS_FSINCOS,
192	    UC_X86_INS_FNSTENV,
193	    UC_X86_INS_FXAM,
194	    UC_X86_INS_FXRSTOR,
195	    UC_X86_INS_FXRSTOR64,
196	    UC_X86_INS_FXSAVE,
197	    UC_X86_INS_FXSAVE64,
198	    UC_X86_INS_FXTRACT,
199	    UC_X86_INS_FYL2X,
200	    UC_X86_INS_FYL2XP1,
201	    UC_X86_INS_MOVAPD,
202	    UC_X86_INS_MOVAPS,
203	    UC_X86_INS_ORPD,
204	    UC_X86_INS_ORPS,
205	    UC_X86_INS_VMOVAPD,
206	    UC_X86_INS_VMOVAPS,
207	    UC_X86_INS_XORPD,
208	    UC_X86_INS_XORPS,
209	    UC_X86_INS_GETSEC,
210	    UC_X86_INS_HADDPD,
211	    UC_X86_INS_HADDPS,
212	    UC_X86_INS_HLT,
213	    UC_X86_INS_HSUBPD,
214	    UC_X86_INS_HSUBPS,
215	    UC_X86_INS_IDIV,
216	    UC_X86_INS_FILD,
217	    UC_X86_INS_IMUL,
218	    UC_X86_INS_IN,
219	    UC_X86_INS_INC,
220	    UC_X86_INS_INSB,
221	    UC_X86_INS_INSERTPS,
222	    UC_X86_INS_INSERTQ,
223	    UC_X86_INS_INSD,
224	    UC_X86_INS_INSW,
225	    UC_X86_INS_INT,
226	    UC_X86_INS_INT1,
227	    UC_X86_INS_INT3,
228	    UC_X86_INS_INTO,
229	    UC_X86_INS_INVD,
230	    UC_X86_INS_INVEPT,
231	    UC_X86_INS_INVLPG,
232	    UC_X86_INS_INVLPGA,
233	    UC_X86_INS_INVPCID,
234	    UC_X86_INS_INVVPID,
235	    UC_X86_INS_IRET,
236	    UC_X86_INS_IRETD,
237	    UC_X86_INS_IRETQ,
238	    UC_X86_INS_FISTTP,
239	    UC_X86_INS_FIST,
240	    UC_X86_INS_FISTP,
241	    UC_X86_INS_UCOMISD,
242	    UC_X86_INS_UCOMISS,
243	    UC_X86_INS_VCOMISD,
244	    UC_X86_INS_VCOMISS,
245	    UC_X86_INS_VCVTSD2SS,
246	    UC_X86_INS_VCVTSI2SD,
247	    UC_X86_INS_VCVTSI2SS,
248	    UC_X86_INS_VCVTSS2SD,
249	    UC_X86_INS_VCVTTSD2SI,
250	    UC_X86_INS_VCVTTSD2USI,
251	    UC_X86_INS_VCVTTSS2SI,
252	    UC_X86_INS_VCVTTSS2USI,
253	    UC_X86_INS_VCVTUSI2SD,
254	    UC_X86_INS_VCVTUSI2SS,
255	    UC_X86_INS_VUCOMISD,
256	    UC_X86_INS_VUCOMISS,
257	    UC_X86_INS_JAE,
258	    UC_X86_INS_JA,
259	    UC_X86_INS_JBE,
260	    UC_X86_INS_JB,
261	    UC_X86_INS_JCXZ,
262	    UC_X86_INS_JECXZ,
263	    UC_X86_INS_JE,
264	    UC_X86_INS_JGE,
265	    UC_X86_INS_JG,
266	    UC_X86_INS_JLE,
267	    UC_X86_INS_JL,
268	    UC_X86_INS_JMP,
269	    UC_X86_INS_JNE,
270	    UC_X86_INS_JNO,
271	    UC_X86_INS_JNP,
272	    UC_X86_INS_JNS,
273	    UC_X86_INS_JO,
274	    UC_X86_INS_JP,
275	    UC_X86_INS_JRCXZ,
276	    UC_X86_INS_JS,
277	    UC_X86_INS_KANDB,
278	    UC_X86_INS_KANDD,
279	    UC_X86_INS_KANDNB,
280	    UC_X86_INS_KANDND,
281	    UC_X86_INS_KANDNQ,
282	    UC_X86_INS_KANDNW,
283	    UC_X86_INS_KANDQ,
284	    UC_X86_INS_KANDW,
285	    UC_X86_INS_KMOVB,
286	    UC_X86_INS_KMOVD,
287	    UC_X86_INS_KMOVQ,
288	    UC_X86_INS_KMOVW,
289	    UC_X86_INS_KNOTB,
290	    UC_X86_INS_KNOTD,
291	    UC_X86_INS_KNOTQ,
292	    UC_X86_INS_KNOTW,
293	    UC_X86_INS_KORB,
294	    UC_X86_INS_KORD,
295	    UC_X86_INS_KORQ,
296	    UC_X86_INS_KORTESTB,
297	    UC_X86_INS_KORTESTD,
298	    UC_X86_INS_KORTESTQ,
299	    UC_X86_INS_KORTESTW,
300	    UC_X86_INS_KORW,
301	    UC_X86_INS_KSHIFTLB,
302	    UC_X86_INS_KSHIFTLD,
303	    UC_X86_INS_KSHIFTLQ,
304	    UC_X86_INS_KSHIFTLW,
305	    UC_X86_INS_KSHIFTRB,
306	    UC_X86_INS_KSHIFTRD,
307	    UC_X86_INS_KSHIFTRQ,
308	    UC_X86_INS_KSHIFTRW,
309	    UC_X86_INS_KUNPCKBW,
310	    UC_X86_INS_KXNORB,
311	    UC_X86_INS_KXNORD,
312	    UC_X86_INS_KXNORQ,
313	    UC_X86_INS_KXNORW,
314	    UC_X86_INS_KXORB,
315	    UC_X86_INS_KXORD,
316	    UC_X86_INS_KXORQ,
317	    UC_X86_INS_KXORW,
318	    UC_X86_INS_LAHF,
319	    UC_X86_INS_LAR,
320	    UC_X86_INS_LDDQU,
321	    UC_X86_INS_LDMXCSR,
322	    UC_X86_INS_LDS,
323	    UC_X86_INS_FLDZ,
324	    UC_X86_INS_FLD1,
325	    UC_X86_INS_FLD,
326	    UC_X86_INS_LEA,
327	    UC_X86_INS_LEAVE,
328	    UC_X86_INS_LES,
329	    UC_X86_INS_LFENCE,
330	    UC_X86_INS_LFS,
331	    UC_X86_INS_LGDT,
332	    UC_X86_INS_LGS,
333	    UC_X86_INS_LIDT,
334	    UC_X86_INS_LLDT,
335	    UC_X86_INS_LMSW,
336	    UC_X86_INS_OR,
337	    UC_X86_INS_SUB,
338	    UC_X86_INS_XOR,
339	    UC_X86_INS_LODSB,
340	    UC_X86_INS_LODSD,
341	    UC_X86_INS_LODSQ,
342	    UC_X86_INS_LODSW,
343	    UC_X86_INS_LOOP,
344	    UC_X86_INS_LOOPE,
345	    UC_X86_INS_LOOPNE,
346	    UC_X86_INS_RETF,
347	    UC_X86_INS_RETFQ,
348	    UC_X86_INS_LSL,
349	    UC_X86_INS_LSS,
350	    UC_X86_INS_LTR,
351	    UC_X86_INS_XADD,
352	    UC_X86_INS_LZCNT,
353	    UC_X86_INS_MASKMOVDQU,
354	    UC_X86_INS_MAXPD,
355	    UC_X86_INS_MAXPS,
356	    UC_X86_INS_MAXSD,
357	    UC_X86_INS_MAXSS,
358	    UC_X86_INS_MFENCE,
359	    UC_X86_INS_MINPD,
360	    UC_X86_INS_MINPS,
361	    UC_X86_INS_MINSD,
362	    UC_X86_INS_MINSS,
363	    UC_X86_INS_CVTPD2PI,
364	    UC_X86_INS_CVTPI2PD,
365	    UC_X86_INS_CVTPI2PS,
366	    UC_X86_INS_CVTPS2PI,
367	    UC_X86_INS_CVTTPD2PI,
368	    UC_X86_INS_CVTTPS2PI,
369	    UC_X86_INS_EMMS,
370	    UC_X86_INS_MASKMOVQ,
371	    UC_X86_INS_MOVD,
372	    UC_X86_INS_MOVDQ2Q,
373	    UC_X86_INS_MOVNTQ,
374	    UC_X86_INS_MOVQ2DQ,
375	    UC_X86_INS_MOVQ,
376	    UC_X86_INS_PABSB,
377	    UC_X86_INS_PABSD,
378	    UC_X86_INS_PABSW,
379	    UC_X86_INS_PACKSSDW,
380	    UC_X86_INS_PACKSSWB,
381	    UC_X86_INS_PACKUSWB,
382	    UC_X86_INS_PADDB,
383	    UC_X86_INS_PADDD,
384	    UC_X86_INS_PADDQ,
385	    UC_X86_INS_PADDSB,
386	    UC_X86_INS_PADDSW,
387	    UC_X86_INS_PADDUSB,
388	    UC_X86_INS_PADDUSW,
389	    UC_X86_INS_PADDW,
390	    UC_X86_INS_PALIGNR,
391	    UC_X86_INS_PANDN,
392	    UC_X86_INS_PAND,
393	    UC_X86_INS_PAVGB,
394	    UC_X86_INS_PAVGW,
395	    UC_X86_INS_PCMPEQB,
396	    UC_X86_INS_PCMPEQD,
397	    UC_X86_INS_PCMPEQW,
398	    UC_X86_INS_PCMPGTB,
399	    UC_X86_INS_PCMPGTD,
400	    UC_X86_INS_PCMPGTW,
401	    UC_X86_INS_PEXTRW,
402	    UC_X86_INS_PHADDSW,
403	    UC_X86_INS_PHADDW,
404	    UC_X86_INS_PHADDD,
405	    UC_X86_INS_PHSUBD,
406	    UC_X86_INS_PHSUBSW,
407	    UC_X86_INS_PHSUBW,
408	    UC_X86_INS_PINSRW,
409	    UC_X86_INS_PMADDUBSW,
410	    UC_X86_INS_PMADDWD,
411	    UC_X86_INS_PMAXSW,
412	    UC_X86_INS_PMAXUB,
413	    UC_X86_INS_PMINSW,
414	    UC_X86_INS_PMINUB,
415	    UC_X86_INS_PMOVMSKB,
416	    UC_X86_INS_PMULHRSW,
417	    UC_X86_INS_PMULHUW,
418	    UC_X86_INS_PMULHW,
419	    UC_X86_INS_PMULLW,
420	    UC_X86_INS_PMULUDQ,
421	    UC_X86_INS_POR,
422	    UC_X86_INS_PSADBW,
423	    UC_X86_INS_PSHUFB,
424	    UC_X86_INS_PSHUFW,
425	    UC_X86_INS_PSIGNB,
426	    UC_X86_INS_PSIGND,
427	    UC_X86_INS_PSIGNW,
428	    UC_X86_INS_PSLLD,
429	    UC_X86_INS_PSLLQ,
430	    UC_X86_INS_PSLLW,
431	    UC_X86_INS_PSRAD,
432	    UC_X86_INS_PSRAW,
433	    UC_X86_INS_PSRLD,
434	    UC_X86_INS_PSRLQ,
435	    UC_X86_INS_PSRLW,
436	    UC_X86_INS_PSUBB,
437	    UC_X86_INS_PSUBD,
438	    UC_X86_INS_PSUBQ,
439	    UC_X86_INS_PSUBSB,
440	    UC_X86_INS_PSUBSW,
441	    UC_X86_INS_PSUBUSB,
442	    UC_X86_INS_PSUBUSW,
443	    UC_X86_INS_PSUBW,
444	    UC_X86_INS_PUNPCKHBW,
445	    UC_X86_INS_PUNPCKHDQ,
446	    UC_X86_INS_PUNPCKHWD,
447	    UC_X86_INS_PUNPCKLBW,
448	    UC_X86_INS_PUNPCKLDQ,
449	    UC_X86_INS_PUNPCKLWD,
450	    UC_X86_INS_PXOR,
451	    UC_X86_INS_MONITOR,
452	    UC_X86_INS_MONTMUL,
453	    UC_X86_INS_MOV,
454	    UC_X86_INS_MOVABS,
455	    UC_X86_INS_MOVBE,
456	    UC_X86_INS_MOVDDUP,
457	    UC_X86_INS_MOVDQA,
458	    UC_X86_INS_MOVDQU,
459	    UC_X86_INS_MOVHLPS,
460	    UC_X86_INS_MOVHPD,
461	    UC_X86_INS_MOVHPS,
462	    UC_X86_INS_MOVLHPS,
463	    UC_X86_INS_MOVLPD,
464	    UC_X86_INS_MOVLPS,
465	    UC_X86_INS_MOVMSKPD,
466	    UC_X86_INS_MOVMSKPS,
467	    UC_X86_INS_MOVNTDQA,
468	    UC_X86_INS_MOVNTDQ,
469	    UC_X86_INS_MOVNTI,
470	    UC_X86_INS_MOVNTPD,
471	    UC_X86_INS_MOVNTPS,
472	    UC_X86_INS_MOVNTSD,
473	    UC_X86_INS_MOVNTSS,
474	    UC_X86_INS_MOVSB,
475	    UC_X86_INS_MOVSD,
476	    UC_X86_INS_MOVSHDUP,
477	    UC_X86_INS_MOVSLDUP,
478	    UC_X86_INS_MOVSQ,
479	    UC_X86_INS_MOVSS,
480	    UC_X86_INS_MOVSW,
481	    UC_X86_INS_MOVSX,
482	    UC_X86_INS_MOVSXD,
483	    UC_X86_INS_MOVUPD,
484	    UC_X86_INS_MOVUPS,
485	    UC_X86_INS_MOVZX,
486	    UC_X86_INS_MPSADBW,
487	    UC_X86_INS_MUL,
488	    UC_X86_INS_MULPD,
489	    UC_X86_INS_MULPS,
490	    UC_X86_INS_MULSD,
491	    UC_X86_INS_MULSS,
492	    UC_X86_INS_MULX,
493	    UC_X86_INS_FMUL,
494	    UC_X86_INS_FIMUL,
495	    UC_X86_INS_FMULP,
496	    UC_X86_INS_MWAIT,
497	    UC_X86_INS_NEG,
498	    UC_X86_INS_NOP,
499	    UC_X86_INS_NOT,
500	    UC_X86_INS_OUT,
501	    UC_X86_INS_OUTSB,
502	    UC_X86_INS_OUTSD,
503	    UC_X86_INS_OUTSW,
504	    UC_X86_INS_PACKUSDW,
505	    UC_X86_INS_PAUSE,
506	    UC_X86_INS_PAVGUSB,
507	    UC_X86_INS_PBLENDVB,
508	    UC_X86_INS_PBLENDW,
509	    UC_X86_INS_PCLMULQDQ,
510	    UC_X86_INS_PCMPEQQ,
511	    UC_X86_INS_PCMPESTRI,
512	    UC_X86_INS_PCMPESTRM,
513	    UC_X86_INS_PCMPGTQ,
514	    UC_X86_INS_PCMPISTRI,
515	    UC_X86_INS_PCMPISTRM,
516	    UC_X86_INS_PCOMMIT,
517	    UC_X86_INS_PDEP,
518	    UC_X86_INS_PEXT,
519	    UC_X86_INS_PEXTRB,
520	    UC_X86_INS_PEXTRD,
521	    UC_X86_INS_PEXTRQ,
522	    UC_X86_INS_PF2ID,
523	    UC_X86_INS_PF2IW,
524	    UC_X86_INS_PFACC,
525	    UC_X86_INS_PFADD,
526	    UC_X86_INS_PFCMPEQ,
527	    UC_X86_INS_PFCMPGE,
528	    UC_X86_INS_PFCMPGT,
529	    UC_X86_INS_PFMAX,
530	    UC_X86_INS_PFMIN,
531	    UC_X86_INS_PFMUL,
532	    UC_X86_INS_PFNACC,
533	    UC_X86_INS_PFPNACC,
534	    UC_X86_INS_PFRCPIT1,
535	    UC_X86_INS_PFRCPIT2,
536	    UC_X86_INS_PFRCP,
537	    UC_X86_INS_PFRSQIT1,
538	    UC_X86_INS_PFRSQRT,
539	    UC_X86_INS_PFSUBR,
540	    UC_X86_INS_PFSUB,
541	    UC_X86_INS_PHMINPOSUW,
542	    UC_X86_INS_PI2FD,
543	    UC_X86_INS_PI2FW,
544	    UC_X86_INS_PINSRB,
545	    UC_X86_INS_PINSRD,
546	    UC_X86_INS_PINSRQ,
547	    UC_X86_INS_PMAXSB,
548	    UC_X86_INS_PMAXSD,
549	    UC_X86_INS_PMAXUD,
550	    UC_X86_INS_PMAXUW,
551	    UC_X86_INS_PMINSB,
552	    UC_X86_INS_PMINSD,
553	    UC_X86_INS_PMINUD,
554	    UC_X86_INS_PMINUW,
555	    UC_X86_INS_PMOVSXBD,
556	    UC_X86_INS_PMOVSXBQ,
557	    UC_X86_INS_PMOVSXBW,
558	    UC_X86_INS_PMOVSXDQ,
559	    UC_X86_INS_PMOVSXWD,
560	    UC_X86_INS_PMOVSXWQ,
561	    UC_X86_INS_PMOVZXBD,
562	    UC_X86_INS_PMOVZXBQ,
563	    UC_X86_INS_PMOVZXBW,
564	    UC_X86_INS_PMOVZXDQ,
565	    UC_X86_INS_PMOVZXWD,
566	    UC_X86_INS_PMOVZXWQ,
567	    UC_X86_INS_PMULDQ,
568	    UC_X86_INS_PMULHRW,
569	    UC_X86_INS_PMULLD,
570	    UC_X86_INS_POP,
571	    UC_X86_INS_POPAW,
572	    UC_X86_INS_POPAL,
573	    UC_X86_INS_POPCNT,
574	    UC_X86_INS_POPF,
575	    UC_X86_INS_POPFD,
576	    UC_X86_INS_POPFQ,
577	    UC_X86_INS_PREFETCH,
578	    UC_X86_INS_PREFETCHNTA,
579	    UC_X86_INS_PREFETCHT0,
580	    UC_X86_INS_PREFETCHT1,
581	    UC_X86_INS_PREFETCHT2,
582	    UC_X86_INS_PREFETCHW,
583	    UC_X86_INS_PSHUFD,
584	    UC_X86_INS_PSHUFHW,
585	    UC_X86_INS_PSHUFLW,
586	    UC_X86_INS_PSLLDQ,
587	    UC_X86_INS_PSRLDQ,
588	    UC_X86_INS_PSWAPD,
589	    UC_X86_INS_PTEST,
590	    UC_X86_INS_PUNPCKHQDQ,
591	    UC_X86_INS_PUNPCKLQDQ,
592	    UC_X86_INS_PUSH,
593	    UC_X86_INS_PUSHAW,
594	    UC_X86_INS_PUSHAL,
595	    UC_X86_INS_PUSHF,
596	    UC_X86_INS_PUSHFD,
597	    UC_X86_INS_PUSHFQ,
598	    UC_X86_INS_RCL,
599	    UC_X86_INS_RCPPS,
600	    UC_X86_INS_RCPSS,
601	    UC_X86_INS_RCR,
602	    UC_X86_INS_RDFSBASE,
603	    UC_X86_INS_RDGSBASE,
604	    UC_X86_INS_RDMSR,
605	    UC_X86_INS_RDPMC,
606	    UC_X86_INS_RDRAND,
607	    UC_X86_INS_RDSEED,
608	    UC_X86_INS_RDTSC,
609	    UC_X86_INS_RDTSCP,
610	    UC_X86_INS_ROL,
611	    UC_X86_INS_ROR,
612	    UC_X86_INS_RORX,
613	    UC_X86_INS_ROUNDPD,
614	    UC_X86_INS_ROUNDPS,
615	    UC_X86_INS_ROUNDSD,
616	    UC_X86_INS_ROUNDSS,
617	    UC_X86_INS_RSM,
618	    UC_X86_INS_RSQRTPS,
619	    UC_X86_INS_RSQRTSS,
620	    UC_X86_INS_SAHF,
621	    UC_X86_INS_SAL,
622	    UC_X86_INS_SALC,
623	    UC_X86_INS_SAR,
624	    UC_X86_INS_SARX,
625	    UC_X86_INS_SBB,
626	    UC_X86_INS_SCASB,
627	    UC_X86_INS_SCASD,
628	    UC_X86_INS_SCASQ,
629	    UC_X86_INS_SCASW,
630	    UC_X86_INS_SETAE,
631	    UC_X86_INS_SETA,
632	    UC_X86_INS_SETBE,
633	    UC_X86_INS_SETB,
634	    UC_X86_INS_SETE,
635	    UC_X86_INS_SETGE,
636	    UC_X86_INS_SETG,
637	    UC_X86_INS_SETLE,
638	    UC_X86_INS_SETL,
639	    UC_X86_INS_SETNE,
640	    UC_X86_INS_SETNO,
641	    UC_X86_INS_SETNP,
642	    UC_X86_INS_SETNS,
643	    UC_X86_INS_SETO,
644	    UC_X86_INS_SETP,
645	    UC_X86_INS_SETS,
646	    UC_X86_INS_SFENCE,
647	    UC_X86_INS_SGDT,
648	    UC_X86_INS_SHA1MSG1,
649	    UC_X86_INS_SHA1MSG2,
650	    UC_X86_INS_SHA1NEXTE,
651	    UC_X86_INS_SHA1RNDS4,
652	    UC_X86_INS_SHA256MSG1,
653	    UC_X86_INS_SHA256MSG2,
654	    UC_X86_INS_SHA256RNDS2,
655	    UC_X86_INS_SHL,
656	    UC_X86_INS_SHLD,
657	    UC_X86_INS_SHLX,
658	    UC_X86_INS_SHR,
659	    UC_X86_INS_SHRD,
660	    UC_X86_INS_SHRX,
661	    UC_X86_INS_SHUFPD,
662	    UC_X86_INS_SHUFPS,
663	    UC_X86_INS_SIDT,
664	    UC_X86_INS_FSIN,
665	    UC_X86_INS_SKINIT,
666	    UC_X86_INS_SLDT,
667	    UC_X86_INS_SMSW,
668	    UC_X86_INS_SQRTPD,
669	    UC_X86_INS_SQRTPS,
670	    UC_X86_INS_SQRTSD,
671	    UC_X86_INS_SQRTSS,
672	    UC_X86_INS_FSQRT,
673	    UC_X86_INS_STAC,
674	    UC_X86_INS_STC,
675	    UC_X86_INS_STD,
676	    UC_X86_INS_STGI,
677	    UC_X86_INS_STI,
678	    UC_X86_INS_STMXCSR,
679	    UC_X86_INS_STOSB,
680	    UC_X86_INS_STOSD,
681	    UC_X86_INS_STOSQ,
682	    UC_X86_INS_STOSW,
683	    UC_X86_INS_STR,
684	    UC_X86_INS_FST,
685	    UC_X86_INS_FSTP,
686	    UC_X86_INS_FSTPNCE,
687	    UC_X86_INS_FXCH,
688	    UC_X86_INS_SUBPD,
689	    UC_X86_INS_SUBPS,
690	    UC_X86_INS_FSUBR,
691	    UC_X86_INS_FISUBR,
692	    UC_X86_INS_FSUBRP,
693	    UC_X86_INS_SUBSD,
694	    UC_X86_INS_SUBSS,
695	    UC_X86_INS_FSUB,
696	    UC_X86_INS_FISUB,
697	    UC_X86_INS_FSUBP,
698	    UC_X86_INS_SWAPGS,
699	    UC_X86_INS_SYSCALL,
700	    UC_X86_INS_SYSENTER,
701	    UC_X86_INS_SYSEXIT,
702	    UC_X86_INS_SYSRET,
703	    UC_X86_INS_T1MSKC,
704	    UC_X86_INS_TEST,
705	    UC_X86_INS_UD2,
706	    UC_X86_INS_FTST,
707	    UC_X86_INS_TZCNT,
708	    UC_X86_INS_TZMSK,
709	    UC_X86_INS_FUCOMPI,
710	    UC_X86_INS_FUCOMI,
711	    UC_X86_INS_FUCOMPP,
712	    UC_X86_INS_FUCOMP,
713	    UC_X86_INS_FUCOM,
714	    UC_X86_INS_UD2B,
715	    UC_X86_INS_UNPCKHPD,
716	    UC_X86_INS_UNPCKHPS,
717	    UC_X86_INS_UNPCKLPD,
718	    UC_X86_INS_UNPCKLPS,
719	    UC_X86_INS_VADDPD,
720	    UC_X86_INS_VADDPS,
721	    UC_X86_INS_VADDSD,
722	    UC_X86_INS_VADDSS,
723	    UC_X86_INS_VADDSUBPD,
724	    UC_X86_INS_VADDSUBPS,
725	    UC_X86_INS_VAESDECLAST,
726	    UC_X86_INS_VAESDEC,
727	    UC_X86_INS_VAESENCLAST,
728	    UC_X86_INS_VAESENC,
729	    UC_X86_INS_VAESIMC,
730	    UC_X86_INS_VAESKEYGENASSIST,
731	    UC_X86_INS_VALIGND,
732	    UC_X86_INS_VALIGNQ,
733	    UC_X86_INS_VANDNPD,
734	    UC_X86_INS_VANDNPS,
735	    UC_X86_INS_VANDPD,
736	    UC_X86_INS_VANDPS,
737	    UC_X86_INS_VBLENDMPD,
738	    UC_X86_INS_VBLENDMPS,
739	    UC_X86_INS_VBLENDPD,
740	    UC_X86_INS_VBLENDPS,
741	    UC_X86_INS_VBLENDVPD,
742	    UC_X86_INS_VBLENDVPS,
743	    UC_X86_INS_VBROADCASTF128,
744	    UC_X86_INS_VBROADCASTI32X4,
745	    UC_X86_INS_VBROADCASTI64X4,
746	    UC_X86_INS_VBROADCASTSD,
747	    UC_X86_INS_VBROADCASTSS,
748	    UC_X86_INS_VCMPPD,
749	    UC_X86_INS_VCMPPS,
750	    UC_X86_INS_VCMPSD,
751	    UC_X86_INS_VCMPSS,
752	    UC_X86_INS_VCOMPRESSPD,
753	    UC_X86_INS_VCOMPRESSPS,
754	    UC_X86_INS_VCVTDQ2PD,
755	    UC_X86_INS_VCVTDQ2PS,
756	    UC_X86_INS_VCVTPD2DQX,
757	    UC_X86_INS_VCVTPD2DQ,
758	    UC_X86_INS_VCVTPD2PSX,
759	    UC_X86_INS_VCVTPD2PS,
760	    UC_X86_INS_VCVTPD2UDQ,
761	    UC_X86_INS_VCVTPH2PS,
762	    UC_X86_INS_VCVTPS2DQ,
763	    UC_X86_INS_VCVTPS2PD,
764	    UC_X86_INS_VCVTPS2PH,
765	    UC_X86_INS_VCVTPS2UDQ,
766	    UC_X86_INS_VCVTSD2SI,
767	    UC_X86_INS_VCVTSD2USI,
768	    UC_X86_INS_VCVTSS2SI,
769	    UC_X86_INS_VCVTSS2USI,
770	    UC_X86_INS_VCVTTPD2DQX,
771	    UC_X86_INS_VCVTTPD2DQ,
772	    UC_X86_INS_VCVTTPD2UDQ,
773	    UC_X86_INS_VCVTTPS2DQ,
774	    UC_X86_INS_VCVTTPS2UDQ,
775	    UC_X86_INS_VCVTUDQ2PD,
776	    UC_X86_INS_VCVTUDQ2PS,
777	    UC_X86_INS_VDIVPD,
778	    UC_X86_INS_VDIVPS,
779	    UC_X86_INS_VDIVSD,
780	    UC_X86_INS_VDIVSS,
781	    UC_X86_INS_VDPPD,
782	    UC_X86_INS_VDPPS,
783	    UC_X86_INS_VERR,
784	    UC_X86_INS_VERW,
785	    UC_X86_INS_VEXP2PD,
786	    UC_X86_INS_VEXP2PS,
787	    UC_X86_INS_VEXPANDPD,
788	    UC_X86_INS_VEXPANDPS,
789	    UC_X86_INS_VEXTRACTF128,
790	    UC_X86_INS_VEXTRACTF32X4,
791	    UC_X86_INS_VEXTRACTF64X4,
792	    UC_X86_INS_VEXTRACTI128,
793	    UC_X86_INS_VEXTRACTI32X4,
794	    UC_X86_INS_VEXTRACTI64X4,
795	    UC_X86_INS_VEXTRACTPS,
796	    UC_X86_INS_VFMADD132PD,
797	    UC_X86_INS_VFMADD132PS,
798	    UC_X86_INS_VFMADDPD,
799	    UC_X86_INS_VFMADD213PD,
800	    UC_X86_INS_VFMADD231PD,
801	    UC_X86_INS_VFMADDPS,
802	    UC_X86_INS_VFMADD213PS,
803	    UC_X86_INS_VFMADD231PS,
804	    UC_X86_INS_VFMADDSD,
805	    UC_X86_INS_VFMADD213SD,
806	    UC_X86_INS_VFMADD132SD,
807	    UC_X86_INS_VFMADD231SD,
808	    UC_X86_INS_VFMADDSS,
809	    UC_X86_INS_VFMADD213SS,
810	    UC_X86_INS_VFMADD132SS,
811	    UC_X86_INS_VFMADD231SS,
812	    UC_X86_INS_VFMADDSUB132PD,
813	    UC_X86_INS_VFMADDSUB132PS,
814	    UC_X86_INS_VFMADDSUBPD,
815	    UC_X86_INS_VFMADDSUB213PD,
816	    UC_X86_INS_VFMADDSUB231PD,
817	    UC_X86_INS_VFMADDSUBPS,
818	    UC_X86_INS_VFMADDSUB213PS,
819	    UC_X86_INS_VFMADDSUB231PS,
820	    UC_X86_INS_VFMSUB132PD,
821	    UC_X86_INS_VFMSUB132PS,
822	    UC_X86_INS_VFMSUBADD132PD,
823	    UC_X86_INS_VFMSUBADD132PS,
824	    UC_X86_INS_VFMSUBADDPD,
825	    UC_X86_INS_VFMSUBADD213PD,
826	    UC_X86_INS_VFMSUBADD231PD,
827	    UC_X86_INS_VFMSUBADDPS,
828	    UC_X86_INS_VFMSUBADD213PS,
829	    UC_X86_INS_VFMSUBADD231PS,
830	    UC_X86_INS_VFMSUBPD,
831	    UC_X86_INS_VFMSUB213PD,
832	    UC_X86_INS_VFMSUB231PD,
833	    UC_X86_INS_VFMSUBPS,
834	    UC_X86_INS_VFMSUB213PS,
835	    UC_X86_INS_VFMSUB231PS,
836	    UC_X86_INS_VFMSUBSD,
837	    UC_X86_INS_VFMSUB213SD,
838	    UC_X86_INS_VFMSUB132SD,
839	    UC_X86_INS_VFMSUB231SD,
840	    UC_X86_INS_VFMSUBSS,
841	    UC_X86_INS_VFMSUB213SS,
842	    UC_X86_INS_VFMSUB132SS,
843	    UC_X86_INS_VFMSUB231SS,
844	    UC_X86_INS_VFNMADD132PD,
845	    UC_X86_INS_VFNMADD132PS,
846	    UC_X86_INS_VFNMADDPD,
847	    UC_X86_INS_VFNMADD213PD,
848	    UC_X86_INS_VFNMADD231PD,
849	    UC_X86_INS_VFNMADDPS,
850	    UC_X86_INS_VFNMADD213PS,
851	    UC_X86_INS_VFNMADD231PS,
852	    UC_X86_INS_VFNMADDSD,
853	    UC_X86_INS_VFNMADD213SD,
854	    UC_X86_INS_VFNMADD132SD,
855	    UC_X86_INS_VFNMADD231SD,
856	    UC_X86_INS_VFNMADDSS,
857	    UC_X86_INS_VFNMADD213SS,
858	    UC_X86_INS_VFNMADD132SS,
859	    UC_X86_INS_VFNMADD231SS,
860	    UC_X86_INS_VFNMSUB132PD,
861	    UC_X86_INS_VFNMSUB132PS,
862	    UC_X86_INS_VFNMSUBPD,
863	    UC_X86_INS_VFNMSUB213PD,
864	    UC_X86_INS_VFNMSUB231PD,
865	    UC_X86_INS_VFNMSUBPS,
866	    UC_X86_INS_VFNMSUB213PS,
867	    UC_X86_INS_VFNMSUB231PS,
868	    UC_X86_INS_VFNMSUBSD,
869	    UC_X86_INS_VFNMSUB213SD,
870	    UC_X86_INS_VFNMSUB132SD,
871	    UC_X86_INS_VFNMSUB231SD,
872	    UC_X86_INS_VFNMSUBSS,
873	    UC_X86_INS_VFNMSUB213SS,
874	    UC_X86_INS_VFNMSUB132SS,
875	    UC_X86_INS_VFNMSUB231SS,
876	    UC_X86_INS_VFRCZPD,
877	    UC_X86_INS_VFRCZPS,
878	    UC_X86_INS_VFRCZSD,
879	    UC_X86_INS_VFRCZSS,
880	    UC_X86_INS_VORPD,
881	    UC_X86_INS_VORPS,
882	    UC_X86_INS_VXORPD,
883	    UC_X86_INS_VXORPS,
884	    UC_X86_INS_VGATHERDPD,
885	    UC_X86_INS_VGATHERDPS,
886	    UC_X86_INS_VGATHERPF0DPD,
887	    UC_X86_INS_VGATHERPF0DPS,
888	    UC_X86_INS_VGATHERPF0QPD,
889	    UC_X86_INS_VGATHERPF0QPS,
890	    UC_X86_INS_VGATHERPF1DPD,
891	    UC_X86_INS_VGATHERPF1DPS,
892	    UC_X86_INS_VGATHERPF1QPD,
893	    UC_X86_INS_VGATHERPF1QPS,
894	    UC_X86_INS_VGATHERQPD,
895	    UC_X86_INS_VGATHERQPS,
896	    UC_X86_INS_VHADDPD,
897	    UC_X86_INS_VHADDPS,
898	    UC_X86_INS_VHSUBPD,
899	    UC_X86_INS_VHSUBPS,
900	    UC_X86_INS_VINSERTF128,
901	    UC_X86_INS_VINSERTF32X4,
902	    UC_X86_INS_VINSERTF32X8,
903	    UC_X86_INS_VINSERTF64X2,
904	    UC_X86_INS_VINSERTF64X4,
905	    UC_X86_INS_VINSERTI128,
906	    UC_X86_INS_VINSERTI32X4,
907	    UC_X86_INS_VINSERTI32X8,
908	    UC_X86_INS_VINSERTI64X2,
909	    UC_X86_INS_VINSERTI64X4,
910	    UC_X86_INS_VINSERTPS,
911	    UC_X86_INS_VLDDQU,
912	    UC_X86_INS_VLDMXCSR,
913	    UC_X86_INS_VMASKMOVDQU,
914	    UC_X86_INS_VMASKMOVPD,
915	    UC_X86_INS_VMASKMOVPS,
916	    UC_X86_INS_VMAXPD,
917	    UC_X86_INS_VMAXPS,
918	    UC_X86_INS_VMAXSD,
919	    UC_X86_INS_VMAXSS,
920	    UC_X86_INS_VMCALL,
921	    UC_X86_INS_VMCLEAR,
922	    UC_X86_INS_VMFUNC,
923	    UC_X86_INS_VMINPD,
924	    UC_X86_INS_VMINPS,
925	    UC_X86_INS_VMINSD,
926	    UC_X86_INS_VMINSS,
927	    UC_X86_INS_VMLAUNCH,
928	    UC_X86_INS_VMLOAD,
929	    UC_X86_INS_VMMCALL,
930	    UC_X86_INS_VMOVQ,
931	    UC_X86_INS_VMOVDDUP,
932	    UC_X86_INS_VMOVD,
933	    UC_X86_INS_VMOVDQA32,
934	    UC_X86_INS_VMOVDQA64,
935	    UC_X86_INS_VMOVDQA,
936	    UC_X86_INS_VMOVDQU16,
937	    UC_X86_INS_VMOVDQU32,
938	    UC_X86_INS_VMOVDQU64,
939	    UC_X86_INS_VMOVDQU8,
940	    UC_X86_INS_VMOVDQU,
941	    UC_X86_INS_VMOVHLPS,
942	    UC_X86_INS_VMOVHPD,
943	    UC_X86_INS_VMOVHPS,
944	    UC_X86_INS_VMOVLHPS,
945	    UC_X86_INS_VMOVLPD,
946	    UC_X86_INS_VMOVLPS,
947	    UC_X86_INS_VMOVMSKPD,
948	    UC_X86_INS_VMOVMSKPS,
949	    UC_X86_INS_VMOVNTDQA,
950	    UC_X86_INS_VMOVNTDQ,
951	    UC_X86_INS_VMOVNTPD,
952	    UC_X86_INS_VMOVNTPS,
953	    UC_X86_INS_VMOVSD,
954	    UC_X86_INS_VMOVSHDUP,
955	    UC_X86_INS_VMOVSLDUP,
956	    UC_X86_INS_VMOVSS,
957	    UC_X86_INS_VMOVUPD,
958	    UC_X86_INS_VMOVUPS,
959	    UC_X86_INS_VMPSADBW,
960	    UC_X86_INS_VMPTRLD,
961	    UC_X86_INS_VMPTRST,
962	    UC_X86_INS_VMREAD,
963	    UC_X86_INS_VMRESUME,
964	    UC_X86_INS_VMRUN,
965	    UC_X86_INS_VMSAVE,
966	    UC_X86_INS_VMULPD,
967	    UC_X86_INS_VMULPS,
968	    UC_X86_INS_VMULSD,
969	    UC_X86_INS_VMULSS,
970	    UC_X86_INS_VMWRITE,
971	    UC_X86_INS_VMXOFF,
972	    UC_X86_INS_VMXON,
973	    UC_X86_INS_VPABSB,
974	    UC_X86_INS_VPABSD,
975	    UC_X86_INS_VPABSQ,
976	    UC_X86_INS_VPABSW,
977	    UC_X86_INS_VPACKSSDW,
978	    UC_X86_INS_VPACKSSWB,
979	    UC_X86_INS_VPACKUSDW,
980	    UC_X86_INS_VPACKUSWB,
981	    UC_X86_INS_VPADDB,
982	    UC_X86_INS_VPADDD,
983	    UC_X86_INS_VPADDQ,
984	    UC_X86_INS_VPADDSB,
985	    UC_X86_INS_VPADDSW,
986	    UC_X86_INS_VPADDUSB,
987	    UC_X86_INS_VPADDUSW,
988	    UC_X86_INS_VPADDW,
989	    UC_X86_INS_VPALIGNR,
990	    UC_X86_INS_VPANDD,
991	    UC_X86_INS_VPANDND,
992	    UC_X86_INS_VPANDNQ,
993	    UC_X86_INS_VPANDN,
994	    UC_X86_INS_VPANDQ,
995	    UC_X86_INS_VPAND,
996	    UC_X86_INS_VPAVGB,
997	    UC_X86_INS_VPAVGW,
998	    UC_X86_INS_VPBLENDD,
999	    UC_X86_INS_VPBLENDMB,
1000	    UC_X86_INS_VPBLENDMD,
1001	    UC_X86_INS_VPBLENDMQ,
1002	    UC_X86_INS_VPBLENDMW,
1003	    UC_X86_INS_VPBLENDVB,
1004	    UC_X86_INS_VPBLENDW,
1005	    UC_X86_INS_VPBROADCASTB,
1006	    UC_X86_INS_VPBROADCASTD,
1007	    UC_X86_INS_VPBROADCASTMB2Q,
1008	    UC_X86_INS_VPBROADCASTMW2D,
1009	    UC_X86_INS_VPBROADCASTQ,
1010	    UC_X86_INS_VPBROADCASTW,
1011	    UC_X86_INS_VPCLMULQDQ,
1012	    UC_X86_INS_VPCMOV,
1013	    UC_X86_INS_VPCMPB,
1014	    UC_X86_INS_VPCMPD,
1015	    UC_X86_INS_VPCMPEQB,
1016	    UC_X86_INS_VPCMPEQD,
1017	    UC_X86_INS_VPCMPEQQ,
1018	    UC_X86_INS_VPCMPEQW,
1019	    UC_X86_INS_VPCMPESTRI,
1020	    UC_X86_INS_VPCMPESTRM,
1021	    UC_X86_INS_VPCMPGTB,
1022	    UC_X86_INS_VPCMPGTD,
1023	    UC_X86_INS_VPCMPGTQ,
1024	    UC_X86_INS_VPCMPGTW,
1025	    UC_X86_INS_VPCMPISTRI,
1026	    UC_X86_INS_VPCMPISTRM,
1027	    UC_X86_INS_VPCMPQ,
1028	    UC_X86_INS_VPCMPUB,
1029	    UC_X86_INS_VPCMPUD,
1030	    UC_X86_INS_VPCMPUQ,
1031	    UC_X86_INS_VPCMPUW,
1032	    UC_X86_INS_VPCMPW,
1033	    UC_X86_INS_VPCOMB,
1034	    UC_X86_INS_VPCOMD,
1035	    UC_X86_INS_VPCOMPRESSD,
1036	    UC_X86_INS_VPCOMPRESSQ,
1037	    UC_X86_INS_VPCOMQ,
1038	    UC_X86_INS_VPCOMUB,
1039	    UC_X86_INS_VPCOMUD,
1040	    UC_X86_INS_VPCOMUQ,
1041	    UC_X86_INS_VPCOMUW,
1042	    UC_X86_INS_VPCOMW,
1043	    UC_X86_INS_VPCONFLICTD,
1044	    UC_X86_INS_VPCONFLICTQ,
1045	    UC_X86_INS_VPERM2F128,
1046	    UC_X86_INS_VPERM2I128,
1047	    UC_X86_INS_VPERMD,
1048	    UC_X86_INS_VPERMI2D,
1049	    UC_X86_INS_VPERMI2PD,
1050	    UC_X86_INS_VPERMI2PS,
1051	    UC_X86_INS_VPERMI2Q,
1052	    UC_X86_INS_VPERMIL2PD,
1053	    UC_X86_INS_VPERMIL2PS,
1054	    UC_X86_INS_VPERMILPD,
1055	    UC_X86_INS_VPERMILPS,
1056	    UC_X86_INS_VPERMPD,
1057	    UC_X86_INS_VPERMPS,
1058	    UC_X86_INS_VPERMQ,
1059	    UC_X86_INS_VPERMT2D,
1060	    UC_X86_INS_VPERMT2PD,
1061	    UC_X86_INS_VPERMT2PS,
1062	    UC_X86_INS_VPERMT2Q,
1063	    UC_X86_INS_VPEXPANDD,
1064	    UC_X86_INS_VPEXPANDQ,
1065	    UC_X86_INS_VPEXTRB,
1066	    UC_X86_INS_VPEXTRD,
1067	    UC_X86_INS_VPEXTRQ,
1068	    UC_X86_INS_VPEXTRW,
1069	    UC_X86_INS_VPGATHERDD,
1070	    UC_X86_INS_VPGATHERDQ,
1071	    UC_X86_INS_VPGATHERQD,
1072	    UC_X86_INS_VPGATHERQQ,
1073	    UC_X86_INS_VPHADDBD,
1074	    UC_X86_INS_VPHADDBQ,
1075	    UC_X86_INS_VPHADDBW,
1076	    UC_X86_INS_VPHADDDQ,
1077	    UC_X86_INS_VPHADDD,
1078	    UC_X86_INS_VPHADDSW,
1079	    UC_X86_INS_VPHADDUBD,
1080	    UC_X86_INS_VPHADDUBQ,
1081	    UC_X86_INS_VPHADDUBW,
1082	    UC_X86_INS_VPHADDUDQ,
1083	    UC_X86_INS_VPHADDUWD,
1084	    UC_X86_INS_VPHADDUWQ,
1085	    UC_X86_INS_VPHADDWD,
1086	    UC_X86_INS_VPHADDWQ,
1087	    UC_X86_INS_VPHADDW,
1088	    UC_X86_INS_VPHMINPOSUW,
1089	    UC_X86_INS_VPHSUBBW,
1090	    UC_X86_INS_VPHSUBDQ,
1091	    UC_X86_INS_VPHSUBD,
1092	    UC_X86_INS_VPHSUBSW,
1093	    UC_X86_INS_VPHSUBWD,
1094	    UC_X86_INS_VPHSUBW,
1095	    UC_X86_INS_VPINSRB,
1096	    UC_X86_INS_VPINSRD,
1097	    UC_X86_INS_VPINSRQ,
1098	    UC_X86_INS_VPINSRW,
1099	    UC_X86_INS_VPLZCNTD,
1100	    UC_X86_INS_VPLZCNTQ,
1101	    UC_X86_INS_VPMACSDD,
1102	    UC_X86_INS_VPMACSDQH,
1103	    UC_X86_INS_VPMACSDQL,
1104	    UC_X86_INS_VPMACSSDD,
1105	    UC_X86_INS_VPMACSSDQH,
1106	    UC_X86_INS_VPMACSSDQL,
1107	    UC_X86_INS_VPMACSSWD,
1108	    UC_X86_INS_VPMACSSWW,
1109	    UC_X86_INS_VPMACSWD,
1110	    UC_X86_INS_VPMACSWW,
1111	    UC_X86_INS_VPMADCSSWD,
1112	    UC_X86_INS_VPMADCSWD,
1113	    UC_X86_INS_VPMADDUBSW,
1114	    UC_X86_INS_VPMADDWD,
1115	    UC_X86_INS_VPMASKMOVD,
1116	    UC_X86_INS_VPMASKMOVQ,
1117	    UC_X86_INS_VPMAXSB,
1118	    UC_X86_INS_VPMAXSD,
1119	    UC_X86_INS_VPMAXSQ,
1120	    UC_X86_INS_VPMAXSW,
1121	    UC_X86_INS_VPMAXUB,
1122	    UC_X86_INS_VPMAXUD,
1123	    UC_X86_INS_VPMAXUQ,
1124	    UC_X86_INS_VPMAXUW,
1125	    UC_X86_INS_VPMINSB,
1126	    UC_X86_INS_VPMINSD,
1127	    UC_X86_INS_VPMINSQ,
1128	    UC_X86_INS_VPMINSW,
1129	    UC_X86_INS_VPMINUB,
1130	    UC_X86_INS_VPMINUD,
1131	    UC_X86_INS_VPMINUQ,
1132	    UC_X86_INS_VPMINUW,
1133	    UC_X86_INS_VPMOVDB,
1134	    UC_X86_INS_VPMOVDW,
1135	    UC_X86_INS_VPMOVM2B,
1136	    UC_X86_INS_VPMOVM2D,
1137	    UC_X86_INS_VPMOVM2Q,
1138	    UC_X86_INS_VPMOVM2W,
1139	    UC_X86_INS_VPMOVMSKB,
1140	    UC_X86_INS_VPMOVQB,
1141	    UC_X86_INS_VPMOVQD,
1142	    UC_X86_INS_VPMOVQW,
1143	    UC_X86_INS_VPMOVSDB,
1144	    UC_X86_INS_VPMOVSDW,
1145	    UC_X86_INS_VPMOVSQB,
1146	    UC_X86_INS_VPMOVSQD,
1147	    UC_X86_INS_VPMOVSQW,
1148	    UC_X86_INS_VPMOVSXBD,
1149	    UC_X86_INS_VPMOVSXBQ,
1150	    UC_X86_INS_VPMOVSXBW,
1151	    UC_X86_INS_VPMOVSXDQ,
1152	    UC_X86_INS_VPMOVSXWD,
1153	    UC_X86_INS_VPMOVSXWQ,
1154	    UC_X86_INS_VPMOVUSDB,
1155	    UC_X86_INS_VPMOVUSDW,
1156	    UC_X86_INS_VPMOVUSQB,
1157	    UC_X86_INS_VPMOVUSQD,
1158	    UC_X86_INS_VPMOVUSQW,
1159	    UC_X86_INS_VPMOVZXBD,
1160	    UC_X86_INS_VPMOVZXBQ,
1161	    UC_X86_INS_VPMOVZXBW,
1162	    UC_X86_INS_VPMOVZXDQ,
1163	    UC_X86_INS_VPMOVZXWD,
1164	    UC_X86_INS_VPMOVZXWQ,
1165	    UC_X86_INS_VPMULDQ,
1166	    UC_X86_INS_VPMULHRSW,
1167	    UC_X86_INS_VPMULHUW,
1168	    UC_X86_INS_VPMULHW,
1169	    UC_X86_INS_VPMULLD,
1170	    UC_X86_INS_VPMULLQ,
1171	    UC_X86_INS_VPMULLW,
1172	    UC_X86_INS_VPMULUDQ,
1173	    UC_X86_INS_VPORD,
1174	    UC_X86_INS_VPORQ,
1175	    UC_X86_INS_VPOR,
1176	    UC_X86_INS_VPPERM,
1177	    UC_X86_INS_VPROTB,
1178	    UC_X86_INS_VPROTD,
1179	    UC_X86_INS_VPROTQ,
1180	    UC_X86_INS_VPROTW,
1181	    UC_X86_INS_VPSADBW,
1182	    UC_X86_INS_VPSCATTERDD,
1183	    UC_X86_INS_VPSCATTERDQ,
1184	    UC_X86_INS_VPSCATTERQD,
1185	    UC_X86_INS_VPSCATTERQQ,
1186	    UC_X86_INS_VPSHAB,
1187	    UC_X86_INS_VPSHAD,
1188	    UC_X86_INS_VPSHAQ,
1189	    UC_X86_INS_VPSHAW,
1190	    UC_X86_INS_VPSHLB,
1191	    UC_X86_INS_VPSHLD,
1192	    UC_X86_INS_VPSHLQ,
1193	    UC_X86_INS_VPSHLW,
1194	    UC_X86_INS_VPSHUFB,
1195	    UC_X86_INS_VPSHUFD,
1196	    UC_X86_INS_VPSHUFHW,
1197	    UC_X86_INS_VPSHUFLW,
1198	    UC_X86_INS_VPSIGNB,
1199	    UC_X86_INS_VPSIGND,
1200	    UC_X86_INS_VPSIGNW,
1201	    UC_X86_INS_VPSLLDQ,
1202	    UC_X86_INS_VPSLLD,
1203	    UC_X86_INS_VPSLLQ,
1204	    UC_X86_INS_VPSLLVD,
1205	    UC_X86_INS_VPSLLVQ,
1206	    UC_X86_INS_VPSLLW,
1207	    UC_X86_INS_VPSRAD,
1208	    UC_X86_INS_VPSRAQ,
1209	    UC_X86_INS_VPSRAVD,
1210	    UC_X86_INS_VPSRAVQ,
1211	    UC_X86_INS_VPSRAW,
1212	    UC_X86_INS_VPSRLDQ,
1213	    UC_X86_INS_VPSRLD,
1214	    UC_X86_INS_VPSRLQ,
1215	    UC_X86_INS_VPSRLVD,
1216	    UC_X86_INS_VPSRLVQ,
1217	    UC_X86_INS_VPSRLW,
1218	    UC_X86_INS_VPSUBB,
1219	    UC_X86_INS_VPSUBD,
1220	    UC_X86_INS_VPSUBQ,
1221	    UC_X86_INS_VPSUBSB,
1222	    UC_X86_INS_VPSUBSW,
1223	    UC_X86_INS_VPSUBUSB,
1224	    UC_X86_INS_VPSUBUSW,
1225	    UC_X86_INS_VPSUBW,
1226	    UC_X86_INS_VPTESTMD,
1227	    UC_X86_INS_VPTESTMQ,
1228	    UC_X86_INS_VPTESTNMD,
1229	    UC_X86_INS_VPTESTNMQ,
1230	    UC_X86_INS_VPTEST,
1231	    UC_X86_INS_VPUNPCKHBW,
1232	    UC_X86_INS_VPUNPCKHDQ,
1233	    UC_X86_INS_VPUNPCKHQDQ,
1234	    UC_X86_INS_VPUNPCKHWD,
1235	    UC_X86_INS_VPUNPCKLBW,
1236	    UC_X86_INS_VPUNPCKLDQ,
1237	    UC_X86_INS_VPUNPCKLQDQ,
1238	    UC_X86_INS_VPUNPCKLWD,
1239	    UC_X86_INS_VPXORD,
1240	    UC_X86_INS_VPXORQ,
1241	    UC_X86_INS_VPXOR,
1242	    UC_X86_INS_VRCP14PD,
1243	    UC_X86_INS_VRCP14PS,
1244	    UC_X86_INS_VRCP14SD,
1245	    UC_X86_INS_VRCP14SS,
1246	    UC_X86_INS_VRCP28PD,
1247	    UC_X86_INS_VRCP28PS,
1248	    UC_X86_INS_VRCP28SD,
1249	    UC_X86_INS_VRCP28SS,
1250	    UC_X86_INS_VRCPPS,
1251	    UC_X86_INS_VRCPSS,
1252	    UC_X86_INS_VRNDSCALEPD,
1253	    UC_X86_INS_VRNDSCALEPS,
1254	    UC_X86_INS_VRNDSCALESD,
1255	    UC_X86_INS_VRNDSCALESS,
1256	    UC_X86_INS_VROUNDPD,
1257	    UC_X86_INS_VROUNDPS,
1258	    UC_X86_INS_VROUNDSD,
1259	    UC_X86_INS_VROUNDSS,
1260	    UC_X86_INS_VRSQRT14PD,
1261	    UC_X86_INS_VRSQRT14PS,
1262	    UC_X86_INS_VRSQRT14SD,
1263	    UC_X86_INS_VRSQRT14SS,
1264	    UC_X86_INS_VRSQRT28PD,
1265	    UC_X86_INS_VRSQRT28PS,
1266	    UC_X86_INS_VRSQRT28SD,
1267	    UC_X86_INS_VRSQRT28SS,
1268	    UC_X86_INS_VRSQRTPS,
1269	    UC_X86_INS_VRSQRTSS,
1270	    UC_X86_INS_VSCATTERDPD,
1271	    UC_X86_INS_VSCATTERDPS,
1272	    UC_X86_INS_VSCATTERPF0DPD,
1273	    UC_X86_INS_VSCATTERPF0DPS,
1274	    UC_X86_INS_VSCATTERPF0QPD,
1275	    UC_X86_INS_VSCATTERPF0QPS,
1276	    UC_X86_INS_VSCATTERPF1DPD,
1277	    UC_X86_INS_VSCATTERPF1DPS,
1278	    UC_X86_INS_VSCATTERPF1QPD,
1279	    UC_X86_INS_VSCATTERPF1QPS,
1280	    UC_X86_INS_VSCATTERQPD,
1281	    UC_X86_INS_VSCATTERQPS,
1282	    UC_X86_INS_VSHUFPD,
1283	    UC_X86_INS_VSHUFPS,
1284	    UC_X86_INS_VSQRTPD,
1285	    UC_X86_INS_VSQRTPS,
1286	    UC_X86_INS_VSQRTSD,
1287	    UC_X86_INS_VSQRTSS,
1288	    UC_X86_INS_VSTMXCSR,
1289	    UC_X86_INS_VSUBPD,
1290	    UC_X86_INS_VSUBPS,
1291	    UC_X86_INS_VSUBSD,
1292	    UC_X86_INS_VSUBSS,
1293	    UC_X86_INS_VTESTPD,
1294	    UC_X86_INS_VTESTPS,
1295	    UC_X86_INS_VUNPCKHPD,
1296	    UC_X86_INS_VUNPCKHPS,
1297	    UC_X86_INS_VUNPCKLPD,
1298	    UC_X86_INS_VUNPCKLPS,
1299	    UC_X86_INS_VZEROALL,
1300	    UC_X86_INS_VZEROUPPER,
1301	    UC_X86_INS_WAIT,
1302	    UC_X86_INS_WBINVD,
1303	    UC_X86_INS_WRFSBASE,
1304	    UC_X86_INS_WRGSBASE,
1305	    UC_X86_INS_WRMSR,
1306	    UC_X86_INS_XABORT,
1307	    UC_X86_INS_XACQUIRE,
1308	    UC_X86_INS_XBEGIN,
1309	    UC_X86_INS_XCHG,
1310	    UC_X86_INS_XCRYPTCBC,
1311	    UC_X86_INS_XCRYPTCFB,
1312	    UC_X86_INS_XCRYPTCTR,
1313	    UC_X86_INS_XCRYPTECB,
1314	    UC_X86_INS_XCRYPTOFB,
1315	    UC_X86_INS_XEND,
1316	    UC_X86_INS_XGETBV,
1317	    UC_X86_INS_XLATB,
1318	    UC_X86_INS_XRELEASE,
1319	    UC_X86_INS_XRSTOR,
1320	    UC_X86_INS_XRSTOR64,
1321	    UC_X86_INS_XRSTORS,
1322	    UC_X86_INS_XRSTORS64,
1323	    UC_X86_INS_XSAVE,
1324	    UC_X86_INS_XSAVE64,
1325	    UC_X86_INS_XSAVEC,
1326	    UC_X86_INS_XSAVEC64,
1327	    UC_X86_INS_XSAVEOPT,
1328	    UC_X86_INS_XSAVEOPT64,
1329	    UC_X86_INS_XSAVES,
1330	    UC_X86_INS_XSAVES64,
1331	    UC_X86_INS_XSETBV,
1332	    UC_X86_INS_XSHA1,
1333	    UC_X86_INS_XSHA256,
1334	    UC_X86_INS_XSTORE,
1335	    UC_X86_INS_XTEST,
1336	    UC_X86_INS_FDISI8087_NOP,
1337	    UC_X86_INS_FENI8087_NOP,
1338	    UC_X86_INS_ENDING,
} uc_x86_insn;

uc_reg_write

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
uc_err uc_reg_write(uc_engine *uc, int regid, const void *value);
将值写入寄存器
@uc: uc_open()返回的句柄
@regid:  将被修改的寄存器ID
@value:  指向寄存器将被修改成的值的指针

@return 成功则返回UC_ERR_OK , 否则返回 uc_err 枚举的其他错误类型

//> X86 registers
typedef enum uc_x86_reg {
    0   UC_X86_REG_INVALID = 0,
1       UC_X86_REG_AH,
2       UC_X86_REG_AL,
3       UC_X86_REG_AX,
4       UC_X86_REG_BH,
5       UC_X86_REG_BL,
6       UC_X86_REG_BP,
7       UC_X86_REG_BPL,
8       UC_X86_REG_BX,
9       UC_X86_REG_CH,
10      UC_X86_REG_CL,
11      UC_X86_REG_CS,
12      UC_X86_REG_CX,
13      UC_X86_REG_DH,
14      UC_X86_REG_DI,
15      UC_X86_REG_DIL,
16      UC_X86_REG_DL,
17      UC_X86_REG_DS,
18      UC_X86_REG_DX,
19      UC_X86_REG_EAX,
20      UC_X86_REG_EBP,
21      UC_X86_REG_EBX,
22      UC_X86_REG_ECX,
23      UC_X86_REG_EDI,
24      UC_X86_REG_EDX,
25      UC_X86_REG_EFLAGS,
26      UC_X86_REG_EIP,
27      UC_X86_REG_EIZ,
28      UC_X86_REG_ES,
29      UC_X86_REG_ESI,
30      UC_X86_REG_ESP,
31      UC_X86_REG_FPSW,
32      UC_X86_REG_FS,
33      UC_X86_REG_GS,
34      UC_X86_REG_IP,
35      UC_X86_REG_RAX,
36      UC_X86_REG_RBP,
37      UC_X86_REG_RBX,
38      UC_X86_REG_RCX,
39      UC_X86_REG_RDI,
40      UC_X86_REG_RDX,
41      UC_X86_REG_RIP,
42      UC_X86_REG_RIZ,
43      UC_X86_REG_RSI,
44      UC_X86_REG_RSP,
45      UC_X86_REG_SI,
46      UC_X86_REG_SIL,
47      UC_X86_REG_SP,
48      UC_X86_REG_SPL,
49      UC_X86_REG_SS,
50      UC_X86_REG_CR0,
51      UC_X86_REG_CR1,
52      UC_X86_REG_CR2,
53      UC_X86_REG_CR3,
54      UC_X86_REG_CR4,
55      UC_X86_REG_CR5,
56      UC_X86_REG_CR6,
57      UC_X86_REG_CR7,
58      UC_X86_REG_CR8,
59      UC_X86_REG_CR9,
60      UC_X86_REG_CR10,
61      UC_X86_REG_CR11,
62      UC_X86_REG_CR12,
63      UC_X86_REG_CR13,
64      UC_X86_REG_CR14,
65      UC_X86_REG_CR15,
66      UC_X86_REG_DR0,
67      UC_X86_REG_DR1,
68      UC_X86_REG_DR2,
69      UC_X86_REG_DR3,
70      UC_X86_REG_DR4,
71      UC_X86_REG_DR5,
72      UC_X86_REG_DR6,
73      UC_X86_REG_DR7,
74      UC_X86_REG_DR8,
75      UC_X86_REG_DR9,
76      UC_X86_REG_DR10,
77      UC_X86_REG_DR11,
78      UC_X86_REG_DR12,
79      UC_X86_REG_DR13,
80      UC_X86_REG_DR14,
81      UC_X86_REG_DR15,
82      UC_X86_REG_FP0,
83      UC_X86_REG_FP1,
84      UC_X86_REG_FP2,
85      UC_X86_REG_FP3,
86      UC_X86_REG_FP4,
87      UC_X86_REG_FP5,
88      UC_X86_REG_FP6,
89      UC_X86_REG_FP7,
90      UC_X86_REG_K0,
91      UC_X86_REG_K1,
92      UC_X86_REG_K2,
93      UC_X86_REG_K3,
94      UC_X86_REG_K4,
95      UC_X86_REG_K5,
96      UC_X86_REG_K6,
97      UC_X86_REG_K7,
98      UC_X86_REG_MM0,
99      UC_X86_REG_MM1,
100     UC_X86_REG_MM2,
101     UC_X86_REG_MM3,
102     UC_X86_REG_MM4,
103     UC_X86_REG_MM5,
104     UC_X86_REG_MM6,
105     UC_X86_REG_MM7,
106     UC_X86_REG_R8,
107     UC_X86_REG_R9,
108     UC_X86_REG_R10,
109     UC_X86_REG_R11,
110     UC_X86_REG_R12,
111     UC_X86_REG_R13,
112     UC_X86_REG_R14,
113     UC_X86_REG_R15,
114     UC_X86_REG_ST0,
115     UC_X86_REG_ST1,
116     UC_X86_REG_ST2,
117     UC_X86_REG_ST3,
118     UC_X86_REG_ST4,
119     UC_X86_REG_ST5,
120     UC_X86_REG_ST6,
121     UC_X86_REG_ST7,
122     UC_X86_REG_XMM0,
123     UC_X86_REG_XMM1,
124     UC_X86_REG_XMM2,
125     UC_X86_REG_XMM3,
126     UC_X86_REG_XMM4,
127     UC_X86_REG_XMM5,
128     UC_X86_REG_XMM6,
129     UC_X86_REG_XMM7,
130     UC_X86_REG_XMM8,
131     UC_X86_REG_XMM9,
132     UC_X86_REG_XMM10,
133     UC_X86_REG_XMM11,
134     UC_X86_REG_XMM12,
135     UC_X86_REG_XMM13,
136     UC_X86_REG_XMM14,
137     UC_X86_REG_XMM15,
138     UC_X86_REG_XMM16,
139     UC_X86_REG_XMM17,
140     UC_X86_REG_XMM18,
141     UC_X86_REG_XMM19,
142     UC_X86_REG_XMM20,
143     UC_X86_REG_XMM21,
144     UC_X86_REG_XMM22,
145     UC_X86_REG_XMM23,
146     UC_X86_REG_XMM24,
147     UC_X86_REG_XMM25,
148     UC_X86_REG_XMM26,
149     UC_X86_REG_XMM27,
150     UC_X86_REG_XMM28,
151     UC_X86_REG_XMM29,
152     UC_X86_REG_XMM30,
153     UC_X86_REG_XMM31,
154     UC_X86_REG_YMM0,
155     UC_X86_REG_YMM1,
156     UC_X86_REG_YMM2,
157     UC_X86_REG_YMM3,
158     UC_X86_REG_YMM4,
159     UC_X86_REG_YMM5,
160     UC_X86_REG_YMM6,
161     UC_X86_REG_YMM7,
162     UC_X86_REG_YMM8,
163     UC_X86_REG_YMM9,
164     UC_X86_REG_YMM10,
165     UC_X86_REG_YMM11,
166     UC_X86_REG_YMM12,
167     UC_X86_REG_YMM13,
168     UC_X86_REG_YMM14,
169     UC_X86_REG_YMM15,
170     UC_X86_REG_YMM16,
171     UC_X86_REG_YMM17,
172     UC_X86_REG_YMM18,
173     UC_X86_REG_YMM19,
174     UC_X86_REG_YMM20,
175     UC_X86_REG_YMM21,
176     UC_X86_REG_YMM22,
177     UC_X86_REG_YMM23,
178     UC_X86_REG_YMM24,
179     UC_X86_REG_YMM25,
180     UC_X86_REG_YMM26,
181     UC_X86_REG_YMM27,
182     UC_X86_REG_YMM28,
183     UC_X86_REG_YMM29,
184     UC_X86_REG_YMM30,
185     UC_X86_REG_YMM31,
186     UC_X86_REG_ZMM0,
187     UC_X86_REG_ZMM1,
188     UC_X86_REG_ZMM2,
189     UC_X86_REG_ZMM3,
190     UC_X86_REG_ZMM4,
191     UC_X86_REG_ZMM5,
192     UC_X86_REG_ZMM6,
193     UC_X86_REG_ZMM7,
194     UC_X86_REG_ZMM8,
195     UC_X86_REG_ZMM9,
196     UC_X86_REG_ZMM10,
197     UC_X86_REG_ZMM11,
198     UC_X86_REG_ZMM12,
199     UC_X86_REG_ZMM13,
200     UC_X86_REG_ZMM14,
201     UC_X86_REG_ZMM15,
202     UC_X86_REG_ZMM16,
203     UC_X86_REG_ZMM17,
204     UC_X86_REG_ZMM18,
205     UC_X86_REG_ZMM19,
206     UC_X86_REG_ZMM20,
207     UC_X86_REG_ZMM21,
208     UC_X86_REG_ZMM22,
209     UC_X86_REG_ZMM23,
210     UC_X86_REG_ZMM24,
211     UC_X86_REG_ZMM25,
212     UC_X86_REG_ZMM26,
213     UC_X86_REG_ZMM27,
214     UC_X86_REG_ZMM28,
215     UC_X86_REG_ZMM29,
216     UC_X86_REG_ZMM30,
217     UC_X86_REG_ZMM31,
218     UC_X86_REG_R8B,
219     UC_X86_REG_R9B,
220     UC_X86_REG_R10B,
221     UC_X86_REG_R11B,
222     UC_X86_REG_R12B,
223     UC_X86_REG_R13B,
224     UC_X86_REG_R14B,
225     UC_X86_REG_R15B,
226     UC_X86_REG_R8D,
227     UC_X86_REG_R9D,
228     UC_X86_REG_R10D,
229     UC_X86_REG_R11D,
230     UC_X86_REG_R12D,
231     UC_X86_REG_R13D,
232     UC_X86_REG_R14D,
233     UC_X86_REG_R15D,
234     UC_X86_REG_R8W,
235     UC_X86_REG_R9W,
236     UC_X86_REG_R10W,
237     UC_X86_REG_R11W,
238     UC_X86_REG_R12W,
239     UC_X86_REG_R13W,
240     UC_X86_REG_R14W,
241     UC_X86_REG_R15W,
242     UC_X86_REG_IDTR,
243     UC_X86_REG_GDTR,
244     UC_X86_REG_LDTR,
245     UC_X86_REG_TR,
246     UC_X86_REG_FPCW,
247     UC_X86_REG_FPTAG,
248     UC_X86_REG_MSR,
249     // Model-Specific Register
250     UC_X86_REG_MXCSR,
251     UC_X86_REG_FS_BASE,
252     // Base regs for x86_64
253     UC_X86_REG_GS_BASE,
254     UC_X86_REG_ENDING        // <-- mark the end of the list of registers
} uc_x86_reg;

程序逻辑分析

image-20210729154714716

1
2
sub_1095A(4LL, 8LL, &v14); 此函数没有被还原,根据代码猜测这里应该是uc_open
根据uc_arch和uc_mode数据类型可以得知,4 是 UC_ARCH_X86,8 是 UC_MODE_64。

image-20210729154729851

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
同样的,我们判断出这个函数是uc_emu_start()
我经过恢复符号表,并不是很完整,我们又不能看别人说这是什么函数,而自己不懂就照搬。
查看uc_emu_start的源代码实现:
uc_err uc_emu_start(uc_engine* uc, uint64_t begin, uint64_t until, uint64_t timeout, size_t count)
{
    // 重制计数器
    uc->emu_counter = 0;
    uc->invalid_error = UC_ERR_OK;
    uc->block_full = false;
    uc->emulation_done = false;
    uc->timed_out = false;

    switch(uc->arch) {
        default:
            break;
#ifdef UNICORN_HAS_M68K
        case UC_ARCH_M68K:
            uc_reg_write(uc, UC_M68K_REG_PC, &begin);
            break;
#endif
#ifdef UNICORN_HAS_X86
        case UC_ARCH_X86:
            switch(uc->mode) {
                default:
                    break;
                case UC_MODE_16: {
                    uint64_t ip;
                    uint16_t cs;

                    uc_reg_read(uc, UC_X86_REG_CS, &cs);
                    // 抵消后面增加的 IP 和 CS
                    ip = begin - cs*16;
                    uc_reg_write(uc, UC_X86_REG_IP, &ip);
                    break;
                }
                case UC_MODE_32:
                    uc_reg_write(uc, UC_X86_REG_EIP, &begin);
                    break;
                case UC_MODE_64:
                    uc_reg_write(uc, UC_X86_REG_RIP, &begin);
                    break;
            }
            break;
	......
}

这段代码和IDA中的伪代码几乎一致:

image-20210729155328456

1
2
3
v11是uc结构体,根据此情况,我们判断出,DF59这个函数是uc_reg_write,DF27这个函数是uc_reg_read。
大部分函数都恢复了符号。
程序逻辑主要是模拟执行了code里的字节码。如果这个题再没有其他操作,我们直接dump字节码,分析代码即可,但以这道题的难度显然不可能。

image-20210729161053681

这道题的关键点在于多个uc_hook_add回调函数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
input:
__int64 __fastcall input(__int64 a1, int a2, int a3)
{
  __int64 v3; // rbp
  _DWORD v5[2]; // [rsp-18h] [rbp-20h] BYREF
  unsigned __int64 v6; // [rsp-10h] [rbp-18h]
  __int64 v7; // [rsp-8h] [rbp-10h]

  v7 = v3;
  v6 = __readfsqword(0x28u);
  v5[1] = a2;
  v5[0] = 0;
  read(a2, v5, a3);   //读取输入
  return v5[0];
}

output:
ssize_t __fastcall output(__int64 a1, int a2, int a3, int a4)
{
  int buf[3]; // [rsp+Ch] [rbp-24h] BYREF
  __int64 v6; // [rsp+18h] [rbp-18h]
  int fd; // [rsp+2Ch] [rbp-4h]

  v6 = a1;
  buf[2] = a2;
  buf[1] = a3;
  buf[0] = a4;
  fd = a2;
  return write(a2, buf, a3);  //输出
}

syscall_time:
unsigned __int64 __fastcall syscall_time(__int64 a1)
{
  __int64 v2; // [rsp+18h] [rbp-18h] BYREF
  time_t v3; // [rsp+20h] [rbp-10h] BYREF
  unsigned __int64 v4; // [rsp+28h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  v2 = 0LL;
  uc_reg_read(a1, 35, (__int64)&v2);            // 读取RAX寄存器的值
  if ( v2 == 0x1337 )                           // 判断
  {
    v3 = time(0LL);
    uc_reg_write(a1, 35, (__int64)&v3);         // 调用time(0),并且赋值给rax寄存器
  }
  return __readfsqword(0x28u) ^ v4;
}

change_key:
__int64 __fastcall sub_563518A4CB02(__int64 a1, int a2, unsigned __int64 a3, int a4)
{
  __int64 v6[2]; // [rsp+30h] [rbp-10h] BYREF

  v6[1] = __readfsqword(0x28u);
  if ( a2 == 16 && a3 > 0x6665FFFF && a3 <= 0x66660FFF && a4 == 8 )
  {
    v6[0] = 0LL;
    uc_mem_read(a1, a3, v6, 8LL);
    v6[0] = 0x756E69636F726E03LL * v6[0] + 0xBADC0DEC001CAFELL;
    uc_mem_write(a1, a3, v6, 8LL);
  }
  return 1LL;
}

decrypt:
unsigned __int64 __fastcall decrypt(__int64 a1, unsigned __int64 a2, __int64 a3, __int64 key_block)
{
  unsigned __int64 result; // rax
  unsigned __int64 v5; // [rsp+10h] [rbp-40h] BYREF
  __int64 v6; // [rsp+18h] [rbp-38h]
  unsigned int i; // [rsp+24h] [rbp-2Ch]
  unsigned int j; // [rsp+28h] [rbp-28h]
  unsigned int k; // [rsp+2Ch] [rbp-24h]
  int v10; // [rsp+30h] [rbp-20h]
  unsigned int size[3]; // [rsp+34h] [rbp-1Ch]
  void *ptr; // [rsp+40h] [rbp-10h]
  void *code_block; // [rsp+48h] [rbp-8h]

  v6 = a1;
  v5 = a2;
  *(_QWORD *)&size[1] = key_block;
  if ( *(_DWORD *)(key_block + 16) == a2 )
  {
    result = *(_QWORD *)&size[1];
    *(_DWORD *)(*(_QWORD *)&size[1] + 16LL) = 0;
    return result;
  }
  if ( *(_DWORD *)(*(_QWORD *)&size[1] + 4LL) ) // 当某个基本块执行结束
  {
    if ( *(unsigned int *)(*(_QWORD *)&size[1] + 4LL) <= v5 )
    {
      result = v5;
      if ( (unsigned int)(*(_DWORD *)(*(_QWORD *)&size[1] + 4LL) + *(_DWORD *)(*(_QWORD *)&size[1] + 8LL)) > v5 )
        return result;
    }
    ptr = malloc(*(unsigned int *)(*(_QWORD *)&size[1] + 8LL));// 下方这段是将上一个执行完的块再次加密
    uc_mem_read(
      v6,
      *(unsigned int *)(*(_QWORD *)&size[1] + 4LL),
      (__int64)ptr,
      *(unsigned int *)(*(_QWORD *)&size[1] + 8LL));
    dcode((__int64)ptr, *(_DWORD *)(*(_QWORD *)&size[1] + 8LL), *(_DWORD *)(*(_QWORD *)&size[1] + 12LL));
    uc_mem_write(v6, *(unsigned int *)(*(_QWORD *)&size[1] + 4LL), ptr, *(unsigned int *)(*(_QWORD *)&size[1] + 8LL));
    free(ptr);
  }
  v10 = calc_key(**(_DWORD **)&size[1], v5);
  for ( i = 0; ; ++i )
  {
    result = i;
    if ( i > 0x55 )
      break;
    if ( v10 == block_key_table[2 * i] )
    {
      size[0] = unk_56304FC676E4[2 * i];
      code_block = malloc(size[0]);
      uc_mem_read(v6, v5, (__int64)code_block, size[0]);// 读指定长度的code
      for ( j = 0; size[0] > j; ++j )
        ;
      dcode((__int64)code_block, size[0], **(_DWORD **)&size[1]);// 解密code的函数
      uc_mem_write(v6, v5, code_block, size[0]);// 将解密后的代码写回指定内存
      for ( k = 0; size[0] > k; ++k )
        ;
      free(code_block);
      *(_DWORD *)(*(_QWORD *)&size[1] + 4LL) = v5;// 执行地址
      *(_DWORD *)(*(_QWORD *)&size[1] + 12LL) = **(_DWORD **)&size[1];// 基本块密钥
      *(_DWORD *)(*(_QWORD *)&size[1] + 8LL) = size[0];// 这个块的代码长度
      *(_DWORD *)(*(_QWORD *)&size[1] + 16LL) = v5;// 执行地址
      uc_reg_write(v6, 41, (__int64)&v5);       // 设置RIP寄存器
    }
  }
  return result;
}

conflow1:
__int64 __fastcall con_1(__int64 a1, unsigned int *a2)
{
  __int64 v2; // rdx
  __int16 v4; // [rsp+16h] [rbp-2Ah] BYREF
  unsigned int i; // [rsp+18h] [rbp-28h]
  int key; // [rsp+1Ch] [rbp-24h]
  __int64 v7; // [rsp+20h] [rbp-20h] BYREF
  __int64 v8; // [rsp+28h] [rbp-18h] BYREF
  unsigned int *v9; // [rsp+30h] [rbp-10h]
  unsigned __int64 v10; // [rsp+38h] [rbp-8h]

  v10 = __readfsqword(0x28u);
  v7 = 0LL;
  v4 = 0;
  uc_reg_read(a1, 41, (__int64)&v7);            // 读取rip寄存器的值
  uc_mem_read(a1, v7, (__int64)&v4, 2uLL);
  if ( v4 != 0x3F0F )                           // 块结束标志0x3f0f
    return 0LL;
  v9 = a2;
  key = calc_key(*a2, v7);
  for ( i = 0; ; ++i )
  {
    if ( i > 0x54 )
      return 0LL;
    if ( key == *((_DWORD *)&key_0 + 5 * (int)i) )
      break;
  }
  v8 = 0LL;
  uc_reg_read(a1, 25, (__int64)&v8);            // 读取标志位寄存器
  if ( (v8 & 0x40) != 0 )
  {
    *v9 += key_2[5 * i];                        // zf=1
    v2 = *((int *)&jmp2 + 5 * (int)i);
  }
  else
  {
    *v9 += *(_DWORD *)&key_1[20 * i];           // zf=0
    v2 = *((int *)&jmp1 + 5 * (int)i);
  }
  v7 += v2;
  uc_reg_write(a1, 41, (__int64)&v7); //设置RIP寄存器
  return 1LL;
}

conflow_2:
unsigned __int64 __fastcall con_2(__int64 a1, __int64 a2, __int64 a3, _DWORD *a4)
{
  __int64 v5[2]; // [rsp+28h] [rbp-18h] BYREF
  unsigned __int64 v6; // [rsp+38h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  v5[1] = (__int64)a4;
  *a4 -= 0x2B09B990;                            // 计算key
  v5[0] = 0x1EECLL;
  uc_reg_write(a1, 41LL, v5);                   // 设置RIP寄存器
  return __readfsqword(0x28u) ^ v6;
}

程序整体我们分析完了,总结一下逻辑流程:

1
通过unicorn模拟执行一段代码,执行每个基本块时会调用hook_add的回调函数decrypt,首先判断是否是上一个基本块执行结束,如果是,则将上一个基本块代码再加密。然后基本块密钥通过calc_key函数计算出一个值,之后调用解密代码进行基本块解密,再将解密后的代码存入原内存,设置RIP进行执行。执行过程中遇到相对应的指令,会调用inputoutput,还有syscall_time。读取fs段内容,会调用change_key。遇到非法指令会调用con_1,con_1用来计算下个块的地址和新的key,设置rip寄存器,继续执行。

控制流重建

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
思路:
先定义calc_key函数(通过基本块密钥计算key),decode函数(解密代码块),disasm函数(反汇编代码)。
dump程序中的jmp_table和block_key_table,并进行分组,jmp_table每五个一组,block_key_table每两个一组。使用BFS遍历代码块,根据conflow1和conflow2计算下一个基本块的地址,将对应的值存入realy_code。得到realy_code,添加跳转指令,最后进行重编译。

import struct, ctypes
from pwn import *
from capstone import *

context.arch = 'amd64'

jmp_table_plus = [0x00412F5E, 0xFFFFFA22, 0x14252652, 0xFFFFF9AC, 0x66CEF8EC, 0x0251D934, 0x0000009F, 0xC56FBF59, 0xFFFFFF61, 0xAA4D5B7C, 0x02745896, 0xFFFFFB7F, 0x34B6D31E, 0xFFFFFBB0, 0x302CC828, 0x02AC5992, 0xFFFFF524, 0x67CC4064, 0xFFFFF483, 0x8A5D9B26, 0x046254D0, 0xFFFFFC37, 0x074AB936, 0xFFFFFC7F, 0xB8EA37F7, 0x0CACD9FE, 0x0000007F, 0x6112F222, 0x00000002, 0x47A72561, 0x0F0FE6EB, 0xFFFFFBAE, 0x0A1411E7, 0xFFFFFC85, 0x3BE88B46, 0x0FC59DC2, 0xFFFFF72F, 0x7D12A5EF, 0xFFFFF691, 0xE67393D6, 0x10B1EBCA, 0x000001CF, 0x473A1295, 0x0000022E, 0x7BC15385, 0x1565D41D, 0xFFFFFDC4, 0x05D337BE, 0xFFFFFE7E, 0xE12982E4, 0x18909E40, 0x000005EB, 0xAE2337AF, 0x000005B1, 0x8E0AB2ED, 0x1AE7593A, 0xFFFFF3BC, 0x23E9058D, 0xFFFFF40B, 0xDFA6CF3E, 0x1B47DA81, 0xFFFFF8C3, 0x349CC616, 0xFFFFF7E9, 0x70C290D0, 0x1D816435, 0x00000002, 0x43F999C9, 0xFFFFFFD8, 0xAB0BCA16, 0x1DACC905, 0xFFFFFF54, 0x5C129962, 0xFFFFFD06, 0xE4515A41, 0x1E03B13C, 0xFFFFFF80, 0x7E763806, 0xFFFFF36A, 0xA25F3D93, 0x22FEFC06, 0xFFFFFCDD, 0xB94E0C2F, 0xFFFFFCB6, 0xF023033D, 0x26B1E690, 0xFFFFFDAB, 0xD0C7ED0C, 0xFFFFFE9B, 0xD49872C6, 0x2A652084, 0x000001EA, 0xDF9B65EE, 0x00000051, 0x5CC5AB90, 0x2FBEBD25, 0x0000048F, 0x60A4E9F2, 0x000009AF, 0x42FE8B0D, 0x34F12D90, 0x000004C0, 0xF6257D94, 0x00000480, 0x5227DE21, 0x35F591D0, 0xFFFFFCA1, 0xDA83E113, 0xFFFFF998, 0x805C7ECB, 0x37EB0B72, 0xFFFFF3EC, 0x7480201A, 0xFFFFF903, 0xAC977E11, 0x389A58A8, 0x00000189, 0xE4005CD7, 0xFFFFFDEC, 0xB043695F, 0x3CB24155, 0x0000084C, 0x8ACB6FF1, 0x00000899, 0xACB471A5, 0x3DCBCDE3, 0x000007A8, 0xA84E3072, 0x00000384, 0xB2624259, 0x3F5290DE, 0xFFFFFE25, 0x8AC11F92, 0xFFFFFD8A, 0x44ACCD78, 0x47FF9B7E, 0x00000A81, 0x9833BF9C, 0x00000B35, 0x9B7199CD, 0x4C7867E6, 0x0000011C, 0x68BB4F80, 0x0000002E, 0x75B675CD, 0x53ADCD80, 0x000004E8, 0x6AA4F705, 0x00000452, 0xBA7C314B, 0x566E1640, 0x00000C8E, 0x203E3737, 0x00000C38, 0xF9367ED9, 0x5EDBB130, 0x000004FF, 0xD4F71A40, 0x000002AA, 0x35DC4141, 0x6C29C83A, 0x00000013, 0xBEAD8A76, 0xFFFFFFB5, 0x7A8A43EF, 0x6E036C9C, 0x00000BD5, 0x225F81E0, 0x00000D89, 0x3C25944D, 0x6FDCCE50, 0x00000605, 0xD3126740, 0x000003D5, 0xA3DA544C, 0x7132D345, 0x0000064E, 0x00915A5A, 0x000006DD, 0x5BCB6B22, 0x720DBD5C, 0x000008C3, 0x64DCFDF6, 0x00000858, 0x190B20BB, 0x7A035AD4, 0x00000424, 0x4DD955FB, 0x000004BF, 0xF65150B5, 0x7CBAED22, 0x00000AA1, 0x62CC154B, 0xFFFFFC58, 0x8DD5CEDB, 0x7EBF8EA8, 0x00000458, 0xCE844A0E, 0xFFFFF734, 0x9079D6BA, 0x804885CD, 0x000007BB, 0x89A8DA66, 0x00000136, 0x7185B813, 0x82190F37, 0xFFFFF58C, 0x013FA7D4, 0xFFFFF4AB, 0x7518093D, 0x83F7826A, 0x00000917, 0x2F33C3DD, 0xFFFFFBF0, 0x02A289B1, 0x8481BFD5, 0xFFFFF927, 0x72EED2D1, 0xFFFFF80A, 0xF46FD351, 0x85A69D6E, 0x000000B4, 0x27A3BB0F, 0x00000181, 0x49235BC0, 0x85F73150, 0x00000259, 0xA300692F, 0x000009BD, 0x5A3E46A9, 0x86E2497A, 0xFFFFFB53, 0xE7614707, 0xFFFFFBB3, 0xFA190B2A, 0x8B261F60, 0xFFFFF323, 0x97B9CC33, 0xFFFFFAB7, 0x2CB73BF0, 0x8B42B00C, 0x00000871, 0xA57A2DE3, 0x00000797, 0xA73082D6, 0x8E4C5C94, 0x000000FE, 0xEE4B594B, 0xFFFFF999, 0xDCE3B74D, 0x913A9FDB, 0xFFFFFE1C, 0x1BFFA329, 0xFFFFFD31, 0x49B21C95, 0x922BFB96, 0xFFFFF61B, 0x4FAFD829, 0xFFFFFBBA, 0x6BD5D317, 0x9F4B8702, 0xFFFFFEC1, 0xB691AD49, 0xFFFFFEF2, 0xCE6C6FE9, 0xA2CEAAA6, 0xFFFFFD89, 0x60E52701, 0xFFFFFCB2, 0x25AD9A9D, 0xAA970D72, 0xFFFFF2BB, 0xC1F58CAC, 0xFFFFF2AB, 0x20B8FE22, 0xABC02B72, 0xFFFFF94B, 0xFF6EA5A6, 0xFFFFFA6A, 0x1CD46647, 0xAE535E9E, 0x000003EC, 0x31246F6B, 0x0000035B, 0x50E2A20A, 0xB7337941, 0xFFFFF856, 0xD1A79AD7, 0xFFFFF955, 0x14673B75, 0xBB8DB95E, 0xFFFFFEEB, 0x6A7F1E5A, 0xFFFFF3B3, 0x1EF2F3AA, 0xBC1EDA22, 0xFFFFFB90, 0xE247955F, 0xFFFFFCE6, 0xA0351A85, 0xBCD91FE8, 0x0000008C, 0x71A348B9, 0x00000030, 0x821754EF, 0xBD38E305, 0xFFFFFF59, 0xE694333F, 0xFFFFFEF9, 0x436B1A45, 0xBE1AA65A, 0xFFFFF93D, 0x8761A810, 0xFFFFFEEB, 0xB2DB19FA, 0xC052453C, 0x000009B5, 0xB05027D7, 0x000009C5, 0xBCA91679, 0xC4A2D780, 0x000008B9, 0xE42FD068, 0x000007C1, 0x9F8B2B83, 0xC6A236BA, 0xFFFFFDBB, 0x20649A12, 0xFFFFFD09, 0x5F73FD94, 0xC6BB5160, 0xFFFFFE90, 0x0ED42674, 0xFFFFFF4B, 0xA76699CC, 0xCB74E940, 0x000003E3, 0x7DA194FF, 0xFFFFFCDA, 0xB23E5B15, 0xD027B387, 0xFFFFF701, 0x880BCC4F, 0xFFFFF785, 0xFEA3D685, 0xD1127D6B, 0xFFFFFAC0, 0xDF3D499A, 0x00000362, 0x84B7777D, 0xD6F5F913, 0xFFFFFCCD, 0xA5D89DB8, 0xFFFFFCAB, 0xF69BAE29, 0xDD04F828, 0xFFFFF705, 0xE18F3BA0, 0xFFFFF64D, 0xEBC799B0, 0xDDF22CB8, 0x0000075D, 0x47F7B857, 0x000001B3, 0x5C1CDEA9, 0xDF34D0A8, 0x0000014D, 0xBFE2CAD5, 0x00000201, 0x1F0C8A89, 0xE146EA40, 0x0000046D, 0x189EB8F9, 0xFFFFF6FB, 0x4CA1090D, 0xE231C560, 0x00000710, 0x2E586529, 0xFFFFFF17, 0x0E9AA776, 0xE2FC6838, 0x00000733, 0xB73DDD7A, 0x00000753, 0x14A1BDE4, 0xE44AE35D, 0x000002C8, 0x46B1F3D1, 0xFFFFFA2D, 0xD2295816, 0xE5AF4AB1, 0x00000DB0, 0x0AFF4FF9, 0x00000D91, 0xB17A4340, 0xE7E3CF21, 0x00000656, 0x9FC50924, 0x00000658, 0x31615022, 0xE8815965, 0x00000BCB, 0x6F51A655, 0x00000C0A, 0x72F5680C, 0xEBDF0F14, 0xFFFFF2B1, 0xD36EC5D4, 0xFFFFF239, 0x3B711343, 0xEC12E59B, 0x00000270, 0x3A38D2E8, 0x0000023D, 0x68D07674, 0xF4013920, 0x00000703, 0xD83CCFAA, 0x000007BA, 0x46891EEB, 0xF6847EC1, 0xFFFFFE62, 0x6D4BAAFC, 0xFFFFFD92, 0x5E6F5A94]
block_key_table = [0x02F73020, 0x00000015, 0x09D3473A, 0x00000051, 0x0EF87B55, 0x0000000D, 0x147CB028, 0x00000023, 0x15F833AA, 0x00000030, 0x17086780, 0x00000018, 0x1733A9D4, 0x00000014, 0x17D61EE8, 0x00000051, 0x1D52F19E, 0x00000011, 0x1F732DE0, 0x0000000D, 0x1FBECFAD, 0x0000001B, 0x245BD7C8, 0x00000055, 0x25E7ABEE, 0x00000009, 0x2882C190, 0x000000A2, 0x2A2084A0, 0x00000075, 0x326AA6AE, 0x00000036, 0x33074A36, 0x00000024, 0x3440BD69, 0x0000002C, 0x362A1FC3, 0x0000002C, 0x3C0450D0, 0x0000000D, 0x3CB575FD, 0x00000011, 0x41B3B26E, 0x0000004E, 0x46005120, 0x00000011, 0x465A72CF, 0x00000002, 0x492145A0, 0x0000000D, 0x49AA4CE0, 0x0000002D, 0x4BD63647, 0x0000004E, 0x4BF84A87, 0x0000000D, 0x4D102445, 0x00000033, 0x4D4D3C55, 0x0000001B, 0x53723232, 0x0000000A, 0x5809B5CB, 0x000000A2, 0x5B12FFCE, 0x00000015, 0x5B1F3000, 0x00000051, 0x5D9FBD20, 0x00000027, 0x6219EED9, 0x0000008A, 0x65D82D17, 0x0000004C, 0x67F5671A, 0x00000063, 0x6CE2CBC1, 0x00000033, 0x718A739C, 0x0000000B, 0x71A62DD7, 0x00000015, 0x7693A1F6, 0x00000014, 0x7A473FB0, 0x00000047, 0x7AEFEDDC, 0x00000011, 0x7AF2CF90, 0x0000004F, 0x7BE0B8B0, 0x0000001B, 0x80EB3E88, 0x0000000A, 0x8213506A, 0x0000000C, 0x82468114, 0x00000011, 0x86B872A2, 0x0000001C, 0x87FBD296, 0x00000019, 0x88719339, 0x00000016, 0x89E2630A, 0x00000024, 0x8CB6536E, 0x0000004E, 0x92316E00, 0x00000015, 0x9415A51E, 0x0000004F, 0x94D658E0, 0x0000002B, 0x97E8DFCD, 0x00000036, 0x992E3874, 0x0000002A, 0x9B06958D, 0x00000030, 0x9B36B480, 0x0000000D, 0xA03CEFAD, 0x0000005A, 0xA39F47E6, 0x0000004E, 0xA946DEC4, 0x000000B4, 0xAE6173DC, 0x00000051, 0xB044A68D, 0x0000008C, 0xB29E36A8, 0x0000000B, 0xB82781F4, 0x0000000D, 0xC14DFAF8, 0x00000011, 0xC3F42E20, 0x0000001E, 0xC5E0065E, 0x00000067, 0xCAD68B21, 0x00000039, 0xCBF29AC7, 0x00000011, 0xCE8729BC, 0x0000001B, 0xD2A85A94, 0x00000004, 0xD34FA4F3, 0x00000011, 0xD64611B0, 0x00000058, 0xD814FD56, 0x00000018, 0xDD386A80, 0x0000000A, 0xDE82DFAC, 0x00000011, 0xEC68D16F, 0x0000001B, 0xEEDE845B, 0x0000003F, 0xF235F260, 0x0000008D, 0xF9AA1F0B, 0x00000087, 0xFC200887, 0x00000011, 0xFED657A3, 0x0000000C]
table_plus_0 = [[0, 0, 0, 0, 0] for i in range(len(jmp_table_plus)//5)]
key_len_table_0 = [[0, 0] for i in range(len(block_key_table)//2)]
#jmp_table分组
for i in range(0, len(jmp_table_plus), 5):
    table_plus_0[i//5][0] = jmp_table_plus[i]   # key索引
    table_plus_0[i//5][1] = jmp_table_plus[i+1]   # jmp1
    table_plus_0[i//5][2] = jmp_table_plus[i+2]   # key1
    table_plus_0[i // 5][3] = jmp_table_plus[i + 3]   #jmp2
    table_plus_0[i // 5][4] = jmp_table_plus[i + 4]   #key2
#block_key_table分组
for i in range(0, len(block_key_table), 2):
    key_len_table_0[i//2][0] = block_key_table[i]   # key索引
    key_len_table_0[i//2][1] = block_key_table[i+1]   #code长度
# print(len(table_plus_0))
# print(len(key_len_table_0))
data_0 = 0x3265B1F5   #初始key
ip = 0x1000    #代码起始地址
end = 0x3f0f   #代码块结束标志

#计算key
def calc_key(size_1, ip):
    return (ip ^ size_1 ^ (ip * size_1) ^ (ip + size_1)) & 0xffffffff
#解密代码块
def decode(code, len, key):
    code0 = []
    for i in range(len):
        code0.append(code[i] ^ pack(key)[i%4])
    return bytearray(code0)
#反汇编代码
def disasm(data, baseaddr):
    md = Cs(CS_ARCH_X86, CS_MODE_64)
    ins = ''
    for i in md.disasm(data, baseaddr):
        asm_code = "%s\t%s" % (i.mnemonic, i.op_str)
        ins += asm_code + "\n"
    return ins

f = open("uc_code.dump", "rb+")
uc_code = f.read()

fw = open("code_finally.bin", "wb+")
# realy_code 例如 {'0x1000': (code, '_0x104f', '_0x1c1a', 'none')
#key字段代表代码块开始地址,value是一个元组,第一个存储此代码块的代码,第二个存储代码块结束地址,第三个是跳转地址1,第四个是跳转地址2
realy_code = {}
code_len = 0
work_queue = [(0x3265B1F5, 0x1000)]   #进行bfs遍历的队列
ip_log = []   #记录已经decode的ip地址
while len(work_queue) > 0:
    #print(x)
    #存储地址,防止重复计算
    for d in work_queue:
        if d[1]not in ip_log:
            ip_log.append(d[1])
    T = work_queue[0]
    #print(T)
    work_queue.remove(T)
    data_0 = T[0]
    ip = T[1]
    calc_key_start = calc_key(data_0, ip)
    for i in range(len(key_len_table_0)):
        if key_len_table_0[i][0] == calc_key_start:
            len_code = key_len_table_0[i][1]
            code = decode(uc_code[ip-0x1000:ip-0x1000+len_code-2], len_code-2, data_0)
            #fw.write(realy_code)
            end_ip = ip + len_code - 2
            calc_key_end = calc_key(data_0, end_ip)
            #print(hex(calc_key_end))
            #最后结束的地方没有代码块结束标志,要单独判断
            if ip == 0x112d:
                code = decode(uc_code[ip - 0x1000:ip - 0x1000 + len_code], len_code, data_0)
                end_ip = ip + len_code
                calc_key_end = calc_key(data_0, end_ip)
                realy_code[hex(ip)] = (code, "_" + hex(end_ip), "none", "none")
            #进行conflow1
            for j in range(len(table_plus_0)):
                if table_plus_0[j][0] == calc_key_end:
                    #print(calc_key_end)
                    asm_text = disasm(code, ip)
                    #print(asm_text)
                    ip0 = end_ip + ctypes.c_int32(table_plus_0[j][1]).value
                    data_00 = (data_0 + table_plus_0[j][2]) & 0xffffffff
                    # 判断conflow2
                    if ip0 == 0x10A3:
                        data_00 -= 0x2B09B990
                        ip0 = 0x1EEC
                    if ip0 not in ip_log:
                        work_queue.append((data_00, ip0))
                    if 'qword ptr fs:[' not in asm_text.splitlines()[-1]:
                        ip1 = end_ip + ctypes.c_int32(table_plus_0[j][3]).value
                        data_01 = (data_0 + table_plus_0[j][4]) & 0xffffffff
                        if ip1 == 0x10A3:
                            data_01 -= 0x2B09B990
                            ip1 = 0x1EEC
                        realy_code[hex(ip)] = (code, "_" + hex(end_ip),"_" + hex(ip0), "_"+hex(ip1))
                        if ip1 not in ip_log:
                            work_queue.append((data_01, ip1))
                    else:
                        realy_code[hex(ip)] = (code, "_" + hex(end_ip), "_" + hex(ip0), "none")
                    break
                #print(realy_code)
            break
print(realy_code)
print(len(realy_code))
#重建代码,添加跳转指令,
all_asm = ""
for i in sorted(realy_code.keys()):
    all_asm += "_" + i + ":\n"+ disasm(realy_code[i][0], 0)

    if realy_code[i][3] != "none":
        all_asm += "jz " + realy_code[i][3] + "\n"
        all_asm += "jmp " + realy_code[i][2] + "\n"
    elif realy_code[i][2] == "none":
        continue
    else:
        all_asm += "jmp " + realy_code[i][2] + "\n"
all_asm = all_asm.replace("endbr64", "nop\n" * 4)
print(all_asm)
#重编译,写入bin文件
code_bin = asm(all_asm)
open('2.bin', 'wb').write(code_bin)

分析重建后的代码

1
2
由于读取fs段会触发回调函数,所以ida伪代码会有一些错误,在读取fs段的这些地方要结合汇编分析。
首先调用了syscall函数,回调函数调用time(0),for循环是用来验证time的值,我们将它当作是check_time函数,可以看到time经过计算得到v75,v75与数据进行比较正确之后,才会进入flag计算阶段。

image-20210806142256710

1
下方这段代码,与check_time函数一样,只是fs段的数据发生了变化,最后将计算出来的数据与我们的输入进行异或。

image-20210806142440624

之后进行最终的判断阶段:

image-20210806142936552

解密思路

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
因为写脚本过程中出现一些问题,所以是脚本也有C语言。

定义这两个函数:
def change_key(fs):
    fs_1 = (0x756E69636F726E03 * fs + 0xBADC0DEC001CAFE) & 0xffffffffffffffff
    return fs_1
def check_time(v35, fs):
    for n in range(256):
        data1 = change_key(fs)
        #print(hex(data1))
        data2 = change_key(data1)
        #print(hex(data2))
        fs = data2
        v35 = (((data1 ^ v35) + data2 + 0x21 * v35 + 1) & 0xffffffffffffffff)
        #print(hex(v35))
        v35 = rol(v35, 13, 64)
        #print(hex(v35))
        if (n & 1) != 0:
            v35 = (data2 ^ (data1 + v35)) & 0xffffffffffffffff
        if (n & 2) != 0:
            v35 ^= (data1 + data2) & 0xffffffffffffffff
        if (n & 4) != 0:
            v35 ^= (data2 ^ data1) & 0xffffffffffffffff
        if (n & 8) != 0:
            v35 += (data1 + data2) & 0xffffffffffffffff
    return v35 & 0xffffffffffffffff, fs
  
我们先将最后一组数据进行异或得到上层数据。

flags = [0x67616c66, 0x47414c46, 0x7b627771, 0x7b425751]   #四个flag_head:qwb{,QWB{,flag{,FLAG{
xor_data = [0x178DEC4F232DDB6E, 0xC2AAB7D6D2A167C3, 0xF1AB91F72761A80F, 0x3DCEDC28076C41A]  #对应上图v2
cmp_data = [0x3EC81D9432CEF584, 0xB649A4DCD6BD24FE, 0xC5927F0B767A787D, 0x1F245B7F751BB52E]   #对应上图v6
mm_crc32 = [0x11dc4d59, 0x788bcf1a, 0x2a9f67b4, 0x63756b29]
xor_data1 = []  #对应check_time函数下的  *(input1+m)
tmp1 = b""  # _mm_crc32_u32循环中所用到的数据
# 计算tmp1
for i in range(4):
    data1 = p64(xor_data[i])
    data2 = p64(cmp_data[i])
    for j in range(8):
        tmp1 += bytes(chr(data1[j] ^ data2[j]), encoding = "latin")

在往上一步发现time不得而知,因为flag前四字节只有四种格式,所以我们采用爆破的方式。
# 得到需要与input异或的数据
fs_0 = 0x5249415452455451
for m in range(32):
    fs_0 = change_key(fs_0)
    v36 = fs_0
    v35 = m
    a, fs_0 = check_time(v35, fs_0)
    #print(hex(v36))
    #print(hex(a))
    xor_data1.append((v36 + a) & 0xff)
print(xor_data1)
#得到异或后的flag_head,用于爆破 time/0xe10 的值
for i in range(4):
    flag_head = p32(flags[i])
    s = b""
    for j in range(4):
        s += chr(flag_head[j] ^ xor_data1[i*4+j]).encode("latin")
    flags[i] = u32(s)
# 爆破,我们只需要前四个字节
cmp_dword = u32(tmp1[:4])
print(flags)
#脚本写到这里,发现_mm_crc32_u32并不是计算crc32,所以最后使用C语言跑出来四个flag_head 经过这个函数得到的值。 这里要去执行c语言中的block1
mm_crc32 = [0x11dc4d59, 0x788bcf1a, 0x2a9f67b4, 0x63756b29]
fs_0 = 0x7177625F32303231
for i in range(4):
    tmp2 = cmp_dword - mm_crc32[i]
    check_result,a = check_time(tmp2, fs_0)
    #print(hex(check_result))
    if check_result == 0x1C986C3B22EA63E5:
        print("%x" % tmp2)
        break
#爆破出time,我们就可以使用cmp_data进行解密了。
time = 0x6e191
print(xor_data1)
cmp_data = []
for i in range(0, len(tmp1), 4):
    cmp_data.append(u32(tmp1[i:i+4]))
print(cmp_data)
#执行c语言中的block2,getflag

C语言代码;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
//
// Created by 沉默 on 2021/8/5.
//
#include <stdio.h>
#include <x86intrin.h>
#include <stdint.h>
int main ()
{
    uint8_t xor_data[32] = {165, 220, 121, 181, 173, 29, 65, 7, 237, 84, 204, 183, 178, 23, 228, 173, 33, 228, 94, 150, 235, 53, 196, 224, 80, 127, 120, 95, 136, 104, 38, 98};
    uint32_t cmp_data[8] = {300101354, 692449755, 68961085, 1961038602, 1360777330, 876211964, 4117590324, 486061757};
    uint32_t flag_head[4] = {3524833475, 1073762795, 3433964444, 3601219811};
    uint32_t flag_tmp[8] = {0};
    uint32_t * xor_data_dword = (uint32_t  *)xor_data;

    //block1:get mm_crc32
    for (int i = 0; i < 4; i++)
    {
        printf("%x\n", _mm_crc32_u32(0, flag_head[i]));
    }
    //block2:get flag before xor
    for (int i = 0; i < 8; ++i) { // 4 * 8
        for (uint32_t val = 0; val != 0xffffffff; ++val) {
            if (cmp_data[i] - 0x6e191 == _mm_crc32_u32(0, val)) {
                flag_tmp[i] = val;
                break;
            }
        }
    }
    //get flag
    for (int i = 0; i < 8; ++i) {
        flag_tmp[i] ^= xor_data_dword[i];
    }
    printf("%s", (char *)flag_tmp);
    return 0;
}

注意_mm_crc32_u32是在sse4.2指令集下。

image-20210806145945570

熟悉API

最后,我们以一个非常简单的ctf题熟悉一下常用unicorn的api。

image-20210806172612763

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from unicorn import *
from unicorn.x86_const import *

def read(name):
    with open(name,"rb") as fp:
        return fp.read()
def hook_code(mu, address, size, user_data):
    #print('>>> Tracing instruction at 0x%x, instruction size = 0x%x' % (address, size))

    if address == 0x1241:
        #输出flag
        flag = mu.mem_read(0x1200, 0x22)
        print(flag)
    if address == 0x1235:
        #将字符串偏移写入bx寄存器
        mu.reg_write(UC_X86_REG_BX, 0x1200)
        #设置ip寄存器
        mu.reg_write(UC_X86_REG_IP, 0x1239)


# 模拟器开始的内存地址
BASE = 0x1000

print("Emulate asm.exe:")
try:
    #初始化模拟器为x86_16
    mu = Uc(UC_ARCH_X86, UC_MODE_16)
    #为这个模拟器分配1M内存
    mu.mem_map(BASE, 1024 * 1024, UC_PROT_ALL)
    #将程序内容写入内存
    mu.mem_write(BASE, read("./asm.exe"))
    #模拟代码执行(emu_start有四个参数,后两个参数是模拟执行的时间和需要执行的指令数目,这里后两个参数为空,则以无限时间和无限指令模拟执行)
    mu.hook_add(UC_HOOK_CODE, hook_code)
    # 通过010Editor查看可知,程序开始的偏移在0x200处。
    mu.emu_start(0x1232, 0x1255)

except UcError as e:
    print("ERROR: %s" % e)

总结

1
从毫无头绪到参考大佬博客,编写脚本完成解题,收获了很多东西,对unicorn有了一定的了解,bindiff工具的使用,控制流重建思路,python进行汇编代码重写,虽然花费了几天时间,但是完全搞懂一道从没接触过的题目还是很值得的。至此,对于unicorn算是入门了,我也试过写一些复杂代码的模拟执行,但都失败了,之后还要学习高级用法,例如去除ollvm混淆这些。

参考

1
2
3
4
5
unicornAPI:https://github.com/kabeor/Micro-Unicorn-Engine-API-Documentation/blob/master/Micro%20Unicorn-Engine%20API%20Documentation.md
unicorn官网:https://www.unicorn-engine.org/docs/
unicorn_like_pro的wp:
https://bbs.pediy.com/thread-268125.htm#msg_header_h1_0
https://panda0s.top/2021/06/14/%E5%BC%BA%E7%BD%91%E6%9D%AF-unicorn-like-a-pro/
CTF赛题writeup
CTF

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!