![]() ![]() ![]() “Simply the best - recommended to anyone asking which disassembler to use!”. “Love at first sight! Beautiful API, support latest instructions, Capstone truly is the ultimate disassembly framework!”. Its small size and high modularity makes it perfectly working in kernel as well!”. “Developers of Capstone provide great support. Not sure yet, but this engine might just be the gold standard”. “I must have mentioned it at least 25 times today with our client. “And, nowadays, Capstone is the best embeddable disassembler out there”. “Capstone solves a well known issue in the reversing community by a well tested and maintained library for most common architectures using a generic API”. “Capstone will soon be the standard disassembly engine”. “Capstone has changed the Reverse Engineering landscape: We finally have a solid, independent, and free disassembler engine”. “Capstone is something people have wanted for years the value is apparent in the implementation, and it’s nice to finally have an industry standard for this”. ![]() Some of the reasons making Capstone unique are elaborated here.įind in this Blackhat USA 2014 slides more technical details behind our disassembly engine. High performance & suitable for malware analysis (capable of handling various X86 malware tricks).ĭistributed under the open source BSD license. Special support for embedding into firmware or OS kernel. Native support for Windows & *nix (with Mac OSX, iOS, Android, Linux, *BSD & Solaris confirmed). Implemented in pure C language, with bindings for D, Clojure, F#, Common Lisp, Visual Basic, PHP, PowerShell, Haskell, Perl, Python, Ruby, C#, NodeJS, Java, GO, C++, OCaml, Lua, Rust, Delphi, Free Pascal & Vala available. Provide some semantics of the disassembled instruction, such as list of implicit registers read & written. Provide details on disassembled instruction (called “decomposer” by some others). Multi-architectures: ARM, ARM64 ( ARMv8), BPF, Ethereum VM, M68K, M680X, Mips, MOS65XX, PowerPC, RISC-V, SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86 (16, 32, 64).Ĭlean/simple/lightweight/intuitive architecture-neutral API. Our target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community. Similarly, we can run the same command on the object file to disassemble the code: $ objdump -d test.oĤ: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%rbp)Īs we can see above, unlike the binary file, the object file shows only the main section.īy default, it shows the disassembly in ATT mnemonic.Capstone is a lightweight multi-platform, multi-architecture disassembly framework. In order to ensure this is the disassembly, we may modify the C program, compile it and run the objdump command on it again to see the changes. We see the add instruction to add 20 (0x14) to the variable i at the memory address 605. Here we can see the relevant main section after stripping off others. Since we have used the -d flag, it’ll print all the executable sections. Using the -d option, we can see the assembly code for the binary: $ objdump -d testĥfe: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%rbp)Ī binary file contains a lot of sections in ELF format with address and metadata for properly loading the executable when it is launched. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |