Welcome

Capstone is a lightweight multi-platform, multi-architecture disassembly framework.

Our target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community.

Highlight features


Some of the reasons making Capstone unique are elaborated here.

Find in this Blackhat USA 2014 slides more technical details behind our disassembly engine.

Testimonials

“Capstone is something people have wanted for years; the value is apparent in the implementation, and it’s nice to finally have an industry standard for this”. – George “Geohot” Hotz.

“Capstone has changed the Reverse Engineering landscape: We finally have a solid, independent, and free disassembler engine”. – Felix “FX” Lindner.

“Capstone will soon be the standard disassembly engine”. – Bruce Dang.

“Capstone solves a well known issue in the reversing community by a well tested and maintained library for most common architectures using a generic API”. – Pancake.

“And, nowadays, Capstone is the best embeddable disassembler out there”. – Joxean Koret.

“I must have mentioned it at least 25 times today with our client. Not sure yet, but this engine might just be the gold standard”. – Stephen Ridley.

“Developers of Capstone provide great support. Its small size and high modularity makes it perfectly working in kernel as well!”. – Peter Hlavaty.

“Love at first sight! Beautiful API, support latest instructions, Capstone truly is the ultimate disassembly framework!”. – Ole André Vadla Ravnås.

“Simply the best - recommended to anyone asking which disassembler to use!”. – Jurriaan Bremer.

“The most complete disassembler library available for the reverse engineering and information security communities”. – Pedro “osxreverser” Vilaça.

“The API is straightforward and easy to work with, and on the few occasions we have run into issues the Capstone developers have provided bug fixes, new features, and support in a matter of hours”. – Sean Heelan.

“I expect Capstone to become the standard, a stepping stone for all projects everywhere”. – Ange Albertini.

See complete testimonials for Capstone here.


Version 4.0

December 18, 2018

We are super excited to announce version 4.0 of Capstone disassembler framework!

Exactly 5 years ago, on December 18th of 2013, we published our first version. Today, this release 4.0 marks 5 years of the project! Such a long journey, which is impossible without huge community support!

In no particular order, we would like to thank Thinkst Canary, NowSecure, ECQ, Senrio, GracefulBits & Catena Cyber for sponsoring this release!

We also wish to express our sincere gratitude to all contributors & donators, who generously supported us to maintain Capstone!

This version improves a lot of things over v3.0.5. The source code is available in zip & tar.gz formats, or at tag-name 4.0 in our Github repo.

Find pre-compiled binaries in the Download section.

See here for summary of the important changes of this version.

Version 3.0.5

July 18, 2018

We are very happy to announce version 3.0.5 of Capstone disassembler framework!

In no particular order, we would like to thank CrowdStrike, CMC Infosec & Jurriaan Bremer for sponsoring this version!

We also wish to express our sincere gratitude to all project contributors & donators, who generously supported us to maintain Capstone project!

This version fixes some important security issues of v3.0.4, as well as many improvements in the core & bindings. The source code is available in zip & tar.gz formats, or at tag-name 3.0.5 in our Github repo.

Find pre-compiled binaries in the Download section.

See here for summary of the important changes of this version 3.0.5.

Version 3.0.5-rc2

March 2, 2017

We are excited to announce version 3.0.5-RC2 of Capstone disassembler framework!

This release candidate fixes some important security issues of v3.0.4, as well significantly improve the core & bindings. We plan to release the official version 3.0.5 after some more tests.

The source code is available in zip and tar.gz formats, or at tagname 3.0.5-rc2 in our Github repo.

Find pre-compiled binaries in the Download section.

For any issues, please feed back via our contact.

Summary of the important changes of version 3.0.5-rc2.

Library

  • Fix build for Visual Studio 2012
  • Fix X86_REL_ADDR macro
  • Add CS_VERSION_MAJOR, CS_VERSION_MINOR, CS_VERSION_EXTRA
  • Better support for embedding Capstone into Windows kernel drivers
  • Support to embedded Capstone into MacOS kernel
  • Support MacOS 10.11 and up
  • Better support for Cygwin
  • Support build packages for FreeBSD & DragonflyBSD
  • Add a command-line tool “cstool”
  • Properly handle switching to Endian mode at run-time for Arm, Arm64, Mips & Sparc

X86

  • Some random 16-bit code can be handled wrongly.
  • Remove abundant operand type X86_OP_FP
  • Fix instructions MOVQ, LOOP, LOOPE, LOOPNE, CALL/JMP rel16, REPNE LODSD, MOV *AX, MOFFS, FAR JMP/CALL
  • Add X86_REG_EFLAGS for STC and STD
  • Fix instruction attributes for SYSEXIT, MOVW, ROL, LGS, SLDT
  • Rename registers ST0-ST7 to be consistent with asm output

Arm

  • Properly handle IT instruction
  • Fix LDRSB
  • Fix writeback for LDR
  • Fix Thumb BigEndian setup

Arm

  • Fix arith extender
  • Fix writeback for LDR
  • Rename enum arm64_mrs_reg to arm64_sysreg

PowerPC

  • Print 0 offset for memory operand

Sparc

  • Fix POPC instruction

Python binding

  • Better PyPy support
  • Add __version__
  • Better support for Python 3
  • Fix CS_SKIPDATA_CALLBACK prototype
  • Cast skipdata function inside binding to simplify the API

Java binding

  • Better handle input with invalid code

PowerShell binding

  • New binding

New logo

January 20, 2016

We are very excited to announce a new logo for Capstone engine! This shiny logo better reflects the spirit of our project, and is more suitable for Tshirts, stickers, mugs etc.

We would like to thank Xipiter for sponsoring the redesign of our new logo! The generous & continuous supports from community like this is the main reason why we keep putting significant time and effort maintaining & developing Capstone!

At the same time, we redesigned the website, so it is more friendly with mobile devices (such as smartphones & tablets). Let us know if you find any broken links.

Donation

July 29, 2015

Are you already using Capstone engine? Yes, if you are using any products in our showcase.

Please consider donating to help us improve Capstone!

You can either donate via Paypal or send us Bitcoins.

  • Paypal email: capstone.engine@gmail.com

  • Bitcoin: 1fGz2GYSjiJxUoACpsHXcGmaAhbEDTuWi (link)

Please let us know if you want to be listed as Capstone supporter after donating.

Why?

Capstone is totally free & developed in our spare time. So far we have never received a single cent from donation or sponsor.

However, we are realizing that to keep up with the increasing demand of community & push Capstone to another level, we need more helps from community.

For this reason, we are now receiving donation for Capstone.

What for?

The donation will be used to promote & improve Capstone. Some priorities are:

  • Get a professional designer to make a better logo that Capstone deserves to have.

  • Have the current website redesigned to be more friendly & efficient.

  • Give rewards to those who are willing to work on our outstanding works (such as this), so we can release the next versions faster.

  • Add more features requested by a lot of users, such as supporting new architectures like Hexagon.

What to get back?

The donators will:

  • Get listed in our website as Capstone supporter - if you do not want to remain anonymous.

  • For a certain amount of donation (to be decided), we can send you T-shirts/stickers/mugs with Capstone logo to show our appreciation.

  • For a certain amount of donation (TBD), we can help to integrate & customize Capstone for your products.

Thanks for your generous supports! Please contact us for any questions.

Version 3.0.4

July 15, 2015

We are excited to announce the stable version 3.0.4 of Capstone disassembly framework!

This release fixes some important security issues, so all users are strongly recommended to uprade.

The source code is available in zip and tar.gz formats, or at tagname 3.0.4 in our Github repo.

Find pre-compiled binaries in the Download section.

For any issues, please feed back via our contact.

NOTE

  • Do use the Python bindings come with this version, as we fixed some issues of version 3.0.3.

    See file bindings/python/README in the source on how to do fresh-install.

  • Our Python package capstone on PyPi can build & install the core at the time of installing Python module, so the external dependency on the core is eliminated.

    Windows users can either instal Python binding of Capstone from Windows installer, or using our PyPi package capstone-windows. Note that this already includes the prebuilt libraries (for both Win32 & Win64 editions) inside, so there is no need to install the core separately.


Summary of the important changes of version 3.0.4.

Library

  • Improve cross-compile for Android using Android NDK.
  • Support cross-compile for AArch64 Android (with Linux GCC).
  • Removed osxkernel_inttypes.h that is incompatible with BSD license.
  • Make it possible to compile with CC having a space inside (like “ccache gcc”).

X86

  • Fix a null pointer dereference bug on handling code with special prefixes.
  • Properly handle AL/AX/EAX operand for OUT instruction in AT&T syntax.
  • Print immediate operand in positive form in some algorithm instructions.
  • Properly decode some SSE instructions.

Arm

  • Fixed a memory corruption bug on IT instruction.

Mips

  • Fixed instruction ID of SUBU instruction.
  • Fixed a memory corruption bug.

PowerPC

  • Fixed some memory corruption bugs.

XCore

  • Fixed a memory corruption bug when instruction has a memory operand.

Python binding

  • Support Virtualenv.
  • setup.py supports option –user if not in a virtualenv to allow for local usage.
  • Properly handle the destruction of Cs object in the case the shared library was already unloaded.

Version 3.0.3

May 8, 2015

We are excited to announce the stable version 3.0.3 of Capstone disassembly framework!

This release is dedicated to Prof. Yoshiyasu Takefuji, who is turning 60 years old this year 2015!

The source code is available in zip and tar.gz formats, or at tagname 3.0.3 in our Github repo.

Find pre-compiled binaries in the Download section.

For any issues, please feed back via our contact.

NOTE

  • Do use the Python bindings come with this version, as we fixed some issues of version 3.0.2.

    See file bindings/python/README in the source on how to do fresh-install.

  • Our Python package capstone on PyPi can build & install the core at the time of installing Python module, so the external dependency on the core is eliminated.

    Windows users can either instal Python binding of Capstone from Windows installer, or using our PyPi package capstone-windows. Note that this already includes the prebuilt libraries (for both Win32 & Win64 editions) inside, so there is no need to install the core separately.

    See bindings/python/README.TXT for more information on these PyPi modules.


Summary of the important changes of version 3.0.3.

Library

  • Released binaries for Windows are now compatible with Windows XP.
  • Support to embed into Mac OS X kernel extensions.
  • Now it is possible to compile Capstone with older C compilers, such as GCC 4.8 on Ubuntu 12.04.
  • Add test_iter to MSVC project.

X86

  • All shifted instructions (SHL, SHR, SAL, SAR, RCL, RCR, ROL & ROR) now support $1 as first operand in AT&T syntax (so we have rcll $1, %edx instead of rcll %edx).
  • CMPXCHG16B is a valid instruction with LOCK prefix.
  • Fixed a segfault on the input of 0xF3.

Arm

  • BLX instruction modifies PC & LR registers.

Sparc

  • Improved displacement decoding for sparc banching instructions.

Python binding

  • Fix for Cython so it can properly initialize.
  • X86Op.avx_zero_mask now has c_bool type, but not c_uint8 type.
  • Properly support compile with Cygwin & install binding (setup.py).

Version 3.0.3-RC1

April 28, 2015

We are happy to announce the Release Candidate 1 of version 3.0.3 of Capstone disassembly framework!

The source code is available in zip and tar.gz formats, or at tagname 3.0.3-rc1 in our Github repo.

Please test and feed back via our contact.

NOTE

  • Do use the Python bindings come with this version, as we fixed some issues in version 3.0.2.

    See file bindings/python/README in the source on how to do fresh-install.


Summary of the important changes of version 3.0.3-RC1 (see Changelog for more details):

  • Fixed a segfault of X86 engine.

  • Some bug fixes for X86, Arm & Sparc.

  • Fixed some issues for Python & Cython bindings.

  • Support to embed Capstone into Mac OS X kernel extensions.

  • Fixed compilation issue with older C compilers such as gcc 4.6.

See the news archive for older posts.