[New Tool] Capstone Disassembly Engine v3.0 Released

Capstone is a lightweight multi-platform, multi-architecture disassembly framework.

 

Features

  • Multi-architectures: Arm, Arm64 (Armv8), Mips, PowerPC, Sparc, SystemZ, XCore & X86 (include X86_64) (details).
  • Clean/simple/lightweight/intuitive architecture-neutral API.
  • Provide details on disassembled instruction (called “decomposer” by some others).
  • Provide some semantics of the disassembled instruction, such as list of implicit registers read & written.
  • Implemented in pure C language, with bindings for Python, Ruby, C#, NodeJS, Java, GO, C++, OCaml & Vala available.
  • Native support for Windows & *nix (with Mac OSX, iOS, Android, Linux, *BSD & Solaris confirmed).
  • Thread-safe by design.
  • Special support for embedding into firmware or OS kernel.
  • High performance & suitable for malware analysis (capable of handling various X86 malware tricks).
  • Distributed under the open source BSD license.

 

Changelog v3.0

API changes

  • New API cs_disasm_iter & cs_malloc. See online doc at http://capstone-engine.org/iteration.html
  • Renamed API cs_disasm_ex to cs_disasm (cs_disasm_ex is still supported, but marked obsolete to be removed in future)
  • Support SKIPDATA mode, so Capstone can jump over unknown data and keep going from the next legitimate instruction.
  • More details provided in cs_detail struct for all architectures.
  • API version was bumped to 3.0.

Bindings support

  • Python binding supports Python3 (besides Python2).
  • Support Ocaml binding.

Architectures

  • New architectures: Sparc, SystemZ & XCore.
  • Important bugfixes for Arm, Arm64, Mips, PowerPC & X86.
  • Support more instructions for Arm, Arm64, Mips, PowerPC & X86.
  • Always expose absolute addresses rather than relative addresses (Arm, Arm64, Mips, PPC, Sparc, X86).
  • Use common instruction operand types REG, IMM, MEM & FP across all architectures (to enable cross-architecture analysis).
  • Use common instruction group types across all architectures (to enable cross-architecture analysis).

X86

  • X86 engine is mature & handles all the malware tricks (that we are aware of).
  • Added a lot of new instructions (such as AVX512, 3DNow, etc).
  • Add prefixed symbols X86_PREFIX_REP/REPNE/LOCK/CS/DS/SS/FS/GS/ES/OPSIZE/ADDRSIZE (x86.h).
  • Print immediate in positive form & hexadecimal for AND/OR/XOR instructions.
  • More friendly disassembly for JMP16i (in the form segment:offset)

Mips

  • Engine added supports for new hardware modes: Mips32R6 (CS_MODE_MIPS32R6) & *MipsGP64(*CS_MODE_MIPSGP64).
  • Removed the ABI-only mode CS_MODE_N64.
  • New modes CS_MODE_MIPS32 & CS_MODE_MIPS64 (instead of CS_MODE_32 & CS_MODE_64).

ARM

  • Support new mode CS_MODE_V8 for Armv8 A32 encodings.
  • Print immediate in positive form & hexadecimal for AND/ORR/EOR/BIC instructions

ARM64

  • Print immediate in hexadecimal for AND/ORR/EOR/TST instructions.

PowerPC

  • Do not print a dot in front of absolute address.

Others

More Information: here

 

[button size=large style=round color=red align=none url=http://capstone-engine.org/download.html]Download Capstone Disassembly Engine v3.0[/button]

MaxiSoler

www.artssec.com @maxisoler