If you have installed
unicorn emulation engine
and its Python bindings,
gef integrates a new command to emulate instructions
of your current debugging context !
unicorn-emulate (or its alias
emu) will replicate the current
memory mapping (including the page permissions) for you, and by default (i.e.
without any additional argument), it will emulate the execution of the
instruction about to be executed (i.e. the one pointed by
$pc) and display
which register(s) is(are) tainted by it.
-h for help
gef➤ emu -h
For example, the following command will execute only the next 2 instructions:
gef➤ emu -n 2
And show this:
In this example, we can see that after executing
0x80484db <main+75> xor eax,eax 0x80484dd <main+77> add esp,0x18
esp are tainted (modified).
A convenient option is
-o /path/to/file.py that will generate a pure Python
script embedding your current execution context, ready to be re-used outside
gef!! This can be useful for dealing with obfuscation or solve crackmes if
powered with a SMT for instance.