Capstone

Welcome

Capstone is a lightweight multi-platform, multi-architecture disassembly framework.

Our target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community.

Highlight features


Some of the reasons making Capstone unique are elaborated here.

Find in this Blackhat USA 2014 slides more technical details behind our disassembly engine.

Testimonials

“Capstone is something people have wanted for years; the value is apparent in the implementation, and it’s nice to finally have an industry standard for this”. – George “Geohot” Hotz.

“Capstone has changed the Reverse Engineering landscape: We finally have a solid, independent, and free disassembler engine”. – Felix “FX” Lindner.

“Capstone will soon be the standard disassembly engine”. – Bruce Dang.

“Capstone solves a well known issue in the reversing community by a well tested and maintained library for most common architectures using a generic API”. – Pancake.

“And, nowadays, Capstone is the best embeddable disassembler out there”. – Joxean Koret.

“I must have mentioned it at least 25 times today with our client. Not sure yet, but this engine might just be the gold standard”. – Stephen Ridley.

“Developers of Capstone provide great support. Its small size and high modularity makes it perfectly working in kernel as well!”. – Peter Hlavaty.

“Love at first sight! Beautiful API, support latest instructions, Capstone truly is the ultimate disassembly framework!”. – Ole André Vadla Ravnås.

“Simply the best - recommended to anyone asking which disassembler to use!”. – Jurriaan Bremer.

“The most complete disassembler library available for the reverse engineering and information security communities”. – Pedro “osxreverser” Vilaça.

“The API is straightforward and easy to work with, and on the few occasions we have run into issues the Capstone developers have provided bug fixes, new features, and support in a matter of hours”. – Sean Heelan.

“I expect Capstone to become the standard, a stepping stone for all projects everywhere”. – Ange Albertini.

See complete testimonials for Capstone here.


Donation

29
Jul
2015

Are you already using Capstone engine? Yes, if you are using any products in our showcase.

Please consider donating to help us improve Capstone!


You can either donate via Paypal or send us Bitcoins.

  • Paypal email: capstone.engine@gmail.com

  • Bitcoin: 1fGz2GYSjiJxUoACpsHXcGmaAhbEDTuWi (link)


Please let us know if you want to be listed as Capstone supporter after donating.


Why?

Capstone is totally free & developed in our spare time. So far we have never received a single cent from donation or sponsor.

However, we are realizing that to keep up with the increasing demand of community & push Capstone to another level, we need more helps from community.

For this reason, we are now receiving donation for Capstone.


What for?

The donation will be used to promote & improve Capstone. Some priorities are:

  • Get a professional designer to make a better logo that Capstone deserves to have.

  • Have the current website redesigned to be more friendly & efficient.

  • Give rewards to those who are willing to work on our outstanding works (such as this), so we can release the next versions faster.

  • Add more features requested by a lot of users, such as supporting new architectures like Hexagon.


What to get back?

The donators will:

  • Get listed in our website as Capstone supporter - if you do not want to remain anonymous.

  • For a certain amount of donation (to be decided), we can send you T-shirts/stickers/mugs with Capstone logo to show our appreciation.

  • For a certain amount of donation (TBD), we can help to integrate & customize Capstone for your products.


Thanks for your generous supports! Please contact us for any questions.


Version 3.0.4

15
Jul
2015

We are excited to announce the stable version 3.0.4 of Capstone disassembly framework!

This release fixes some important security issues, so all users are strongly recommended to uprade.


The source code is available in zip and tar.gz formats, or at tagname 3.0.4 in our Github repo.

Find pre-compiled binaries in the Download section.

For any issues, please feed back via our contact.


NOTE

  • Do use the Python bindings come with this version, as we fixed some issues of version 3.0.3.

    See file bindings/python/README in the source on how to do fresh-install.

  • Our Python package capstone on PyPi can build & install the core at the time of installing Python module, so the external dependency on the core is eliminated.

    Windows users can either instal Python binding of Capstone from Windows installer, or using our PyPi package capstone-windows. Note that this already includes the prebuilt libraries (for both Win32 & Win64 editions) inside, so there is no need to install the core separately.


Summary of the important changes of version 3.0.4.

Library

  • Improve cross-compile for Android using Android NDK.
  • Support cross-compile for AArch64 Android (with Linux GCC).
  • Removed osxkernel_inttypes.h that is incompatible with BSD license.
  • Make it possible to compile with CC having a space inside (like “ccache gcc”).

X86

  • Fix a null pointer dereference bug on handling code with special prefixes.
  • Properly handle AL/AX/EAX operand for OUT instruction in AT&T syntax.
  • Print immediate operand in positive form in some algorithm instructions.
  • Properly decode some SSE instructions.

Arm

  • Fixed a memory corruption bug on IT instruction.

Mips

  • Fixed instruction ID of SUBU instruction.
  • Fixed a memory corruption bug.

PowerPC

  • Fixed some memory corruption bugs.

XCore

  • Fixed a memory corruption bug when instruction has a memory operand.

Python binding

  • Support Virtualenv.
  • setup.py supports option –user if not in a virtualenv to allow for local usage.
  • Properly handle the destruction of Cs object in the case the shared library was already unloaded.

Version 3.0.3

8
May
2015

We are excited to announce the stable version 3.0.3 of Capstone disassembly framework!

This release is dedicated to Prof. Yoshiyasu Takefuji, who is turning 60 years old this year 2015!


The source code is available in zip and tar.gz formats, or at tagname 3.0.3 in our Github repo.

Find pre-compiled binaries in the Download section.

For any issues, please feed back via our contact.


NOTE

  • Do use the Python bindings come with this version, as we fixed some issues of version 3.0.2.

    See file bindings/python/README in the source on how to do fresh-install.

  • Our Python package capstone on PyPi can build & install the core at the time of installing Python module, so the external dependency on the core is eliminated.

    Windows users can either instal Python binding of Capstone from Windows installer, or using our PyPi package capstone-windows. Note that this already includes the prebuilt libraries (for both Win32 & Win64 editions) inside, so there is no need to install the core separately.

    See bindings/python/README.TXT for more information on these PyPi modules.


Summary of the important changes of version 3.0.3.

Library

  • Released binaries for Windows are now compatible with Windows XP.
  • Support to embed into Mac OS X kernel extensions.
  • Now it is possible to compile Capstone with older C compilers, such as GCC 4.8 on Ubuntu 12.04.
  • Add test_iter to MSVC project.

X86

  • All shifted instructions (SHL, SHR, SAL, SAR, RCL, RCR, ROL & ROR) now support $1 as first operand in AT&T syntax (so we have rcll $1, %edx instead of rcll %edx).
  • CMPXCHG16B is a valid instruction with LOCK prefix.
  • Fixed a segfault on the input of 0xF3.

Arm

  • BLX instruction modifies PC & LR registers.

Sparc

  • Improved displacement decoding for sparc banching instructions.

Python binding

  • Fix for Cython so it can properly initialize.
  • X86Op.avx_zero_mask now has c_bool type, but not c_uint8 type.
  • Properly support compile with Cygwin & install binding (setup.py).

Version 3.0.3-RC1

28
Apr
2015

We are happy to announce the Release Candidate 1 of version 3.0.3 of Capstone disassembly framework!

The source code is available in zip and tar.gz formats, or at tagname 3.0.3-rc1 in our Github repo.

Please test and feed back via our contact.


NOTE

  • Do use the Python bindings come with this version, as we fixed some issues in version 3.0.2.

    See file bindings/python/README in the source on how to do fresh-install.


Summary of the important changes of version 3.0.3-RC1 (see Changelog for more details):

  • Fixed a segfault of X86 engine.

  • Some bug fixes for X86, Arm & Sparc.

  • Fixed some issues for Python & Cython bindings.

  • Support to embed Capstone into Mac OS X kernel extensions.

  • Fixed compilation issue with older C compilers such as gcc 4.6.


Some new features of the next release 4.0

27
Apr
2015

We have been working hard for the next release 4.0 of Capstone, which promises a lot of important updates & new features in various areas.

Get the latest code from our Github’s next branch to experience the cutting-edge features of the upcoming version.


Summary of the most interesting changes of the next branch so far:

  • Update the engines of X86, PowerPC & Mips with support for a lot of new instructions.

  • New option CS_OPT_MNEMONIC to customize instruction mnemonics at run-time (see documentation).

  • New API cs_regs_access() & access info for instruction operands (see documentation).


Further details are available in our Changelog


Version 3.0.2

11
Mar
2015

We are happy to announce the stable version 3.0.2 of Capstone disassembly framework!

The source code is available in zip and tar.gz formats, or at tagname 3.0.2 in our Github repo.

Find pre-compiled binaries in the Download section.

Please test and feed back via our contact.


NOTE:

  • Our Python package capstone on PyPi can build & install the core at the time of installing Python module, so the external dependency on the core is eliminated.

    Windows users can either instal Python binding of Capstone from Windows installer, or using our PyPi package capstone-windows. Note that this already includes the prebuilt libraries (for both Win32 & Win64 editions) inside, so there is no need to install the core separately.

    See bindings/python/README.TXT for more information on these PyPi modules.


Summary of the important changes of this version.


  • Library

    • On *nix, only export symbols that are part of the API (instead of all the internal symbols).


  • X86

    • Do not consider 0xF2 as REPNE prefix if it is a part of instruction encoding.
    • Fix implicit registers read/written & instruction groups of some instructions.
    • More flexible on the order of prefixes, so better handle some tricky instructions.
    • REPNE prefix can go with STOS & MOVS instructions.
    • Fix a compilation bug for X86_REDUCE mode.
    • Fix operand size of instructions with operand PTR [].


  • Arm

    • Fix a bug where arm_op_mem.disp is wrongly calculated (in DETAIL mode).
    • Fix a bug on handling the If-Then block.


  • Mips

    • Sanity check for the input size for MIPS64 mode.


  • MSVC

    • Compile capstone.dll with static runtime MSVCR built in.


  • Python binding

    • Fix a compiling issue of Cython binding with gcc 4.9.

Version 3.0.1

3
Feb
2015

We are excited to announce the stable version 3.0.1 of Capstone disassembly framework!

The source code is available in zip and tar.gz formats, or at tagname 3.0.1 in our Github repo.

Find pre-compiled binaries in the Download section.

Please test and feed back via our contact.


NOTE:

  • This version fixes some important issues in the Python binding, so Python users should upgrade their binding. See bindings/python/README.TXT in source code on to do fresh-reinstall.

  • Since this version, our Python package capstone on PyPi can build & install the core at the time of installing Python module, so the external dependency on the core is eliminated.

    Another new package capstone-windows is available for Windows users who do not want to compile from source, as this package includes prebuilt libraries (for both Win32 & Win64 editions) inside.

    See bindings/python/README.TXT for more information on these PyPi modules.


Summary of the important changes of this version.

  • X86
    • Properly handle LOCK, REP, REPE & REPNE prefixes.
    • Handle undocumented immediates for SSE’s (V)CMPPS/PD/SS/SD instructions.
    • Print LJUMP/LCALL without * as prefix for Intel syntax.
    • Handle REX prefix properly for segment/MMX related instructions (x86_64).
    • Instruction with length > 15 is consider invalid.
    • Handle some tricky encodings for instructions MOVSXD, FXCH, FCOM, FCOMP, FSTP, FSTPNCE, NOP.
    • Handle some tricky code for some x86_64 instructions with REX prefix.
    • Add missing operands in detail mode for PUSH, POP, IN/OUT reg, reg
    • MOV32ms & MOV32sm reference word rather than dword.


  • Arm64
    • BL & BLR instructions do not read SP register.
    • Print absolute (rather than relative) address for instructions B, BL, CBNZ, ADR.


  • Arm
    • Instructions ADC & SBC do not update flags.
    • BL & BLX do not read SP, but PC register.
    • Alias LDR instruction with operands [sp], 4 to POP.
    • Print immediate operand of MVN instruction in positive hexadecimal form.


  • PowerPC
    • Fix some compilation bugs when DIET mode is enable.
    • Populate SLWI/SRWI instruction details with SH operand.


  • Python binding
    • Fix a Cython bug when CsInsn.bytes returns a shorten array of bytes.
    • Fixed a memory leak for Cython disasm functions when we immaturely quit the enumeration of disassembled instructions.
    • Fix a NULL memory access issue when SKIPDATA & Detail modes are enable at the same time.
    • Fix a memory leaking bug when when we stop enumeration over the disassembled instructions prematurely.
    • Export generic operand types & groups (CS_OP_xxx & CS_GRP_xxx).

Version 3.0.1-RC2

20
Jan
2015

We are happy to announce the Release Candidate 2 of version 3.0.1 of Capstone disassembly framework!

The source code is available in zip and tar.gz formats, or at tagname 3.0.1-rc2 in our Github repo.

Please test and feed back via our contact.


NOTE

  • Do use the Python bindings come with this version, as this fixed some important issues in version 3.0.

    For Java/Ocaml/Python bindings, see respective README files under bindings/ directory in the source on how to do fresh-install.


Summary of the important changes of version 3.0.1-RC2 (see Changelog for more details):

  • Bug fixes for X86, Arm, Arm64.

  • Fixed some issues, including a memory leaking bug, for Python (Cython) bindings.


See the news archive for older posts.