Rev Unicorn Debug

Name: Rev Unicorn Debug
Author: p4nda0s

p4nda0s/reverse-skills

Emulate isolated binary functions with Unicorn so you can trace decryption or JNI-dependent logic without running the full program on your host.

Install

npx skills add https://github.com/p4nda0s/reverse-skills --skill rev-unicorn-debug

What is this skill?

Loads binaries as raw bytes first—maps into Unicorn without full ELF/PE/Mach-O parsing unless segment addresses force mi
Surfaces and hooks context dependencies: JNI, syscalls, libc, and imports via Unicorn callbacks
Follows 5 core principles: raw load, dependency hooks, callbacks, iterative crash fix, and minimal block-level tracing
Supports decrypt/decode-by-emulation and bypassing environment deps during partial execution
Crash-driven iteration: missing memory maps, unhandled calls, and register fixes from hook diagnostics

Adoption & trust: 631 installs on skills.sh; 1.3k GitHub stars; 1/3 security scanners passed (skills.sh audits).

Recommended Skills

Azure Diagnosticsmicrosoft/azure-skills

Azure Diagnostics walks agents through systematic production troubleshooting on Azure—checking resource health, AppLens …374k installs·1.2k stars

Diagnosemattpocock/skills

Matt Pocock-style diagnose skill that prioritizes deterministic pass/fail signals then walks through structured debuggin…187k installs·121k stars

Systematic Debuggingobra/superpowers

Systematic Debugging is an agent skill that forces a root-cause-first workflow before any proposed fix for bugs, test fa…134k installs·221k stars

Safe Debuglllllllama/rigorpilot-skills

safe-debug implements Rigor Debug / Rigor Audit mode for deep-learning research repos: your agent reads the traceback or…32.3k installs·412 stars

Mastramastra-ai/skills

The mastra skill is a structured troubleshooting companion for solo builders shipping TypeScript agents on the Mastra fr…18.5k installs·57 stars

Insforge Debuginsforge/agent-skills

InsForge Debug guides solo builders through structured diagnosis on InsForge-backed projects when something breaks in pr…9.2k installs·27 stars

Journey fit

Primary fit

Canonical shelf is Ship → Security because the skill centers on controlled emulation of untrusted or opaque machine code—analysis and validation before you trust behavior in production. Security subphase fits reverse-engineering and anti-tamper workflows where you must observe algorithm behavior without full binary execution or real environment side effects.

Common Questions / FAQ

Is Rev Unicorn Debug safe to install?

skills.sh reports 1 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Rev Unicorn Debug

# rev-unicorn-debug - Unicorn Emulation Debugger

Debug and emulate specific code fragments or functions using the Unicorn engine. Analyze context dependencies (JNI, syscalls, library functions) and simulate them through hook mechanisms to complete the user's debugging goal.

---

## Core Principles

1. **Load file raw first** — do NOT parse ELF/PE/Mach-O headers. Read the file as raw bytes and map directly into Unicorn memory. We only need to emulate specific functions, not the entire binary. If raw loading fails (code references segments at specific addresses), then parse minimally — only map the segments needed.
2. **Identify context dependencies** — analyze the target code for external calls (JNI, syscalls, libc, imports) and hook them to provide simulated responses.
3. **Use callbacks extensively** — leverage Unicorn's hook system for debugging, tracing, error recovery, and environment simulation.
4. **Iterative fix** — when emulation crashes, use the callback info to diagnose and fix (map missing memory, hook unhandled calls, fix register state).
5. **Minimal trace output** — prefer block-level tracing over instruction-level. Only enable instruction trace on small targeted ranges. Use counters and summaries instead of per-step logging.

---

## Environment Simulation Strategy

Before emulating, read the target function and identify what it calls. Hook external dependencies by address and simulate in Python:

| Category | Examples | Simulation Strategy |
|----------|----------|-------------------|
| libc | `malloc`, `free`, `memcpy`, `strlen`, `printf` | Hook address, implement logic in Python (bump allocator for malloc) |
| JNI | `GetStringUTFChars`, `FindClass`, `GetMethodID` | Build fake JNIEnv function table in UC memory, write RET stubs at each entry, hook stub addresses |
| Syscalls | `read`, `write`, `mmap`, `ioctl` | Hook `UC_HOOK_INTR`, dispatch by syscall number |
| C++ runtime | `operator new`, `__cxa_throw` | Hook and simulate |
| Library calls | `pthread_mutex_lock`, `dlopen` | Hook and return success/stub |

**Hook pattern:** Register a `UC_HOOK_CODE` callback. When PC hits a known import address, execute the Python simulation, then set PC = LR to skip the original function.

---

## Callback Types to Use

| Callback | Purpose |
|----------|---------|
| `UC_HOOK_CODE` | Intercept import calls by address; instruction-level trace (use sparingly, narrow range only) |
| `UC_HOOK_BLOCK` | Block-level trace (preferred over instruction trace) |
| `UC_HOOK_MEM_UNMAPPED` | Auto-map missing pages to recover from unmapped access errors |
| `UC_HOOK_MEM_READ \| UC_HOOK_MEM_WRITE` | Trace memory access on targeted data ranges only |
| `UC_HOOK_INTR` | Intercept SVC/INT for syscall simulation |

---

## Iterative Debugging Workflow

When emulation fails, follow this loop:

1. **Run** — start emulation, let it crash
2. **Read callback output** — which address faulted? What type (read/write/fetch)?
3. **Diagnose**:
   - Unmapped memory fetch → missing code page, map it
   - Unmapped memory read/write → missing data section or uninitialized pointer, map or hook
   - Hitting an import stub → identify the function, add a simulation hook
   - Infinite loop → add a code hook with execution counter, stop after threshold
4. **Fix** — add the hook / map the memory / adjust registers
5. **Re-run** — repeat until the target function completes

---

## Architecture Quick Reference

| Arch | Uc Const | Mode | SP | LR | Args | Return | Syscall |
|------|----------|------|----|----|------|--------|---------|
| ARM64 | `UC_ARCH_ARM64` | `UC_MODE_LITTLE_ENDIAN` | SP | X30

What is this skill?

Loads binaries as raw bytes first—maps into Unicorn without full ELF/PE/Mach-O parsing unless segment addresses force mi

Surfaces and hooks context dependencies: JNI, syscalls, libc, and imports via Unicorn callbacks

Follows 5 core principles: raw load, dependency hooks, callbacks, iterative crash fix, and minimal block-level tracing

Supports decrypt/decode-by-emulation and bypassing environment deps during partial execution

Crash-driven iteration: missing memory maps, unhandled calls, and register fixes from hook diagnostics

Adoption & trust: 631 installs on skills.sh; 1.3k GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Rev Unicorn Debug

# rev-unicorn-debug - Unicorn Emulation Debugger

Debug and emulate specific code fragments or functions using the Unicorn engine. Analyze context dependencies (JNI, syscalls, library functions) and simulate them through hook mechanisms to complete the user's debugging goal.

---

## Core Principles

1. **Load file raw first** — do NOT parse ELF/PE/Mach-O headers. Read the file as raw bytes and map directly into Unicorn memory. We only need to emulate specific functions, not the entire binary. If raw loading fails (code references segments at specific addresses), then parse minimally — only map the segments needed.
2. **Identify context dependencies** — analyze the target code for external calls (JNI, syscalls, libc, imports) and hook them to provide simulated responses.
3. **Use callbacks extensively** — leverage Unicorn's hook system for debugging, tracing, error recovery, and environment simulation.
4. **Iterative fix** — when emulation crashes, use the callback info to diagnose and fix (map missing memory, hook unhandled calls, fix register state).
5. **Minimal trace output** — prefer block-level tracing over instruction-level. Only enable instruction trace on small targeted ranges. Use counters and summaries instead of per-step logging.

---

## Environment Simulation Strategy

Before emulating, read the target function and identify what it calls. Hook external dependencies by address and simulate in Python:

| Category | Examples | Simulation Strategy |
|----------|----------|-------------------|
| libc | `malloc`, `free`, `memcpy`, `strlen`, `printf` | Hook address, implement logic in Python (bump allocator for malloc) |
| JNI | `GetStringUTFChars`, `FindClass`, `GetMethodID` | Build fake JNIEnv function table in UC memory, write RET stubs at each entry, hook stub addresses |
| Syscalls | `read`, `write`, `mmap`, `ioctl` | Hook `UC_HOOK_INTR`, dispatch by syscall number |
| C++ runtime | `operator new`, `__cxa_throw` | Hook and simulate |
| Library calls | `pthread_mutex_lock`, `dlopen` | Hook and return success/stub |

**Hook pattern:** Register a `UC_HOOK_CODE` callback. When PC hits a known import address, execute the Python simulation, then set PC = LR to skip the original function.

---

## Callback Types to Use

| Callback | Purpose |
|----------|---------|
| `UC_HOOK_CODE` | Intercept import calls by address; instruction-level trace (use sparingly, narrow range only) |
| `UC_HOOK_BLOCK` | Block-level trace (preferred over instruction trace) |
| `UC_HOOK_MEM_UNMAPPED` | Auto-map missing pages to recover from unmapped access errors |
| `UC_HOOK_MEM_READ \| UC_HOOK_MEM_WRITE` | Trace memory access on targeted data ranges only |
| `UC_HOOK_INTR` | Intercept SVC/INT for syscall simulation |

---

## Iterative Debugging Workflow

When emulation fails, follow this loop:

1. **Run** — start emulation, let it crash
2. **Read callback output** — which address faulted? What type (read/write/fetch)?
3. **Diagnose**:
   - Unmapped memory fetch → missing code page, map it
   - Unmapped memory read/write → missing data section or uninitialized pointer, map or hook
   - Hitting an import stub → identify the function, add a simulation hook
   - Infinite loop → add a code hook with execution counter, stop after threshold
4. **Fix** — add the hook / map the memory / adjust registers
5. **Re-run** — repeat until the target function completes

---

## Architecture Quick Reference

| Arch | Uc Const | Mode | SP | LR | Args | Return | Syscall |
|------|----------|------|----|----|------|--------|---------|
| ARM64 | `UC_ARCH_ARM64` | `UC_MODE_LITTLE_ENDIAN` | SP | X30

Install

What is this skill?

Recommended Skills

Journey fit

Is Rev Unicorn Debug safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Rev Unicorn Debug safe to install?

SKILL.md