Capstone

Welcome

Capstone is a lightweight multi-platform, multi-architecture disassembly framework.

Our target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community.

Highlight features


Some of the reasons making Capstone unique are elaborated here.

Testimonials

“Capstone has changed the Reverse Engineering landscape: We finally have a solid, independent, and free disassembler engine”. – Felix “FX” Lindner.

“Capstone will soon be the standard disassembly engine”. – Bruce Dang.

“Capstone solves a well known issue in the reversing community by a well tested and maintained library for most common architectures using a generic API”. – Pancake.

“And, nowadays, Capstone is the best embeddable disassembler out there”. – Joxean Koret.

“I must have mentioned it at least 25 times today with our client. Not sure yet, but this engine might just be the gold standard”. – Stephen Ridley.

“Developers of Capstone provide great support. Its small size and high modularity makes it perfectly working in kernel as well!”. – Peter Hlavaty.

“Love at first sight! Beautiful API, support latest instructions, Capstone truly is the ultimate disassembly framework!”. – Ole André Vadla Ravnås.

“Simply the best - recommended to anyone asking which disassembler to use!”. – Jurriaan Bremer.

“The most complete disassembler library available for the reverse engineering and information security communities”. – Pedro “osxreverser” Vilaça.

“The API is straightforward and easy to work with, and on the few occasions we have run into issues the Capstone developers have provided bug fixes, new features, and support in a matter of hours”. – Sean Heelan.

“I expect Capstone to become the standard, a stepping stone for all projects everywhere”. – Ange Albertini.

See complete testimonials for Capstone here


Version 3.0

19
Nov
2014

We are excited to announce version 3.0 of Capstone disassembly framework!

The source code is available in zip and tar.gz formats, or at tagname 3.0 in our Github repo.

Find pre-compiled binaries in the Download section.

Please test and feed back via our contact.


NOTE

  • Do use the bindings come with this version, as all the old bindings from previous version 3.0-rcX or 2.x are incompatible and cannot be run with the 3.0 core.

    For Java/Ocaml/Python bindings, see the respective README files under bindings/ directory in the source on how to do fresh-reinstall.


Summary of the important changes since 2.1.2 (more detail):

  • API
    • New API cs_disasm_iter & cs_malloc (See online doc).
    • Renamed API cs_disasm_ex to cs_disasm (cs_disasm_ex is still supported, but marked deprecated to be removed in future)
    • Support SKIPDATA mode, so Capstone can jump over unknown data and keep going from the next legitimate instruction.
    • API version was bumped to 3.0.
  • Bindings support
    • Python binding supports Python 3 (besides Python 2).
    • Support Ocaml binding.
  • Architectures
    • New architectures: Sparc, SystemZ & XCore.
    • Support new instructions & have important bugfixes for Arm, Arm64, Mips, PowerPC & X86.
    • Always expose absolute addresses rather than relative addresses (Arm, Arm64, Mips, PPC, Sparc, X86).

    • X86: more mature & handles all the malware tricks (that we are aware of).

    • ARM: Support new mode CS_MODE_V8 for Armv8 A32 encodings.

    • Mips
      • Supports new hardware modes: Mips32R6 (CS_MODE_MIPS32R6) & *MipsGP64 (CS_MODE_MIPSGP64).
      • Removed the ABI-only mode CS_MODE_N64.
      • New modes CS_MODE_MIPS32 & CS_MODE_MIPS64 (instead of CS_MODE_32 & CS_MODE_64).
  • Support Microsoft Visual Studio (so Windows native compilation using MSVC is possible).

  • Support CMake compilation.

  • Cross-compile for Android.

  • Build libraries/tests using XCode project

  • Much faster, while consuming less memory for all architectures.

Version 3.0-RC3

2
Nov
2014

We are happy to announce the Release Candidate 3 of version 3.0 of Capstone disassembly framework!

The source code is available in zip and tar.gz formats, or at tagname 3.0-rc3 in our Github repo.

Please test and feed back via our contact.


NOTE

  • Do use the bindings come with this version, as all the old bindings from previous version 3.0-RC2 or 2.x are incompatible and cannot be run with the *3.0-RC3 core*.

    For Java/Ocaml/Python bindings, see the respective README files under bindings/ directory in the source on how to do fresh-reinstall.


Summary of the important changes since 3.0-RC2 (more detail):

  • Better support for cross-platform analysis:

    • Use common instruction operand types REG, IMM, MEM & FP across all architectures.

    • Use common instruction group types across all architectures.

  • Fix an buffer overflow bug in fill_insn() in cs.c.

  • X86:

    • Remove bogus instructions X86_INS_REP/REPNE/LOCK.

    • Added prefixed symbols X86_PREFIX_REP/REPNE/LOCK/CS/DS/SS/FS/GS/ES/OPSIZE/ADDRSIZE.

  • ARM: instructions B, BL, BX, BLX, BXJ belong to ARM_GRP_JUMP group.

  • Mips: properly handle modes MIPS32R6 & MICRO.

  • PPC: add new operand type PPC_OP_CRX.


Version 3.0-RC2

16
Oct
2014

We are glad to announce the Release Candidate 2 of version 3.0 of Capstone disassembly framework!

The source code is available in zip and tar.gz formats, or at tagname 3.0-rc2 in our Github repo.

Please test and feed back via our contact.


NOTE

  • Do use the bindings come with this version, as all the old bindings from version 2.x are incompatible and cannot be run with the 3.0 core.

    For Java/Ocaml/Python bindings, see respective README files under bindings/ directory in the source on how to do fresh-install.


Summary of the important changes of version 3.0-RC2 since 3.0-RC1:

  • New APIs: cs_disasm_iter & cs_malloc. See documentation at http://capstone-engine.org/iteration.html

  • Some optimizations to improve performance of cs_disasm, especially for Windows platform.

  • Properly handle cs_disasm when count is in range [2, 32].

  • Build libraries/tests using XCode project

  • Ocaml binding: major update on interface & some important fixes.

  • ARM: add a new field subtracted to cs_arm_op struct.

  • Mips

    • Remove the ABI-only mode CS_MODE_N64.

    • Get rid of MIPS_REG_PC register.

  • PPC

    • Do not add CR0 to the operand list as it’s not displayed by the disassembly.

    • Print absolute address rather than relative address for some relative branch instructions.

  • X86: properly calculate absolute addresses for relative CALL & JMP - for AT&T syntax.


Version 3.0-RC1

1
Oct
2014

We are pleased to announce the Release Candidate 1 of version 3.0 of Capstone disassembly framework!

The source code is available in zip and tar.gz formats, or at tagname 3.0-rc1 in our Github repo.

Please test and feed back via our contact.


NOTE

  • Do use the bindings come with this version, as all the old bindings from version 2.x are incompatible and cannot be run with the 3.0 core.

    For Java/Ocaml/Python bindings, see respective README files under bindings/ directory in the source on how to do fresh-install.


Summary of the important changes of version 3.0-RC1 (see Changelog for more details):

  • New architectures: Sparc, SystemZ & XCore.

  • Important bugfixes for Arm, Arm64, Mips, PowerPC & X86.

  • X86 engine now can decode 3DNow instructions.

  • X86 engine is mature & handles all the malware tricks that we are aware of. If you have any code that Capstone wrongly processes, please report.

  • Mips engine added supports for new hardware modes: Mips3, Mips32R6 & MipsGP64.

  • Support for Microsoft Visual Studio (so Windows native compilation using MSVC is possible).

  • Support CMake compilation.

  • Cross-compile for Android.

  • Much faster, while consuming less memory for all architectures.

  • API version was bumped to 3.0.

  • Renamed API cs_disasm_ex to cs_disasm (cs_disasm_ex is marked obsolete to be removed in future versions)

  • Support SKIPDATA mode, so Capstone can jump over unknown data and keep going from the next legitimate instruction.

  • Python binding supports Python3.

  • Support Ocaml binding.



CEnigma tool

30
Jul
2014

We are happy to announce a little web-based tool named CEnigma to disassemble input hexcode!

CEnigma offers some advantages:

  • Fast, simple & easy to use: just paste your hexstring, choose architecture/mode/syntax, then submit to get back assembly code.

  • User-friendly: accept input of all kind of formats (as long as it contains hexcode inside).

  • Provide instruction details (just hover the mouse over the assembly instructions).

  • Link to assembly manual (just click into the assembly instructions).

  • Save output for future references (choose Duration before submitting).

  • Backed by Capstone, CEnigma is always updated on all 8 architectures: Arm, Arm64, Mips, PPC, Sparc, SystemZ, XCore, X86 (+X86_64).


Find more at www.cenigma.org.


Peeking into the next release

21
May
2014

We have been working hard for the next release of Capstone, which promises a lot of important updates in various areas.

Get the latest code from our Github’s next branch to experience the cutting-edge features of the upcoming version.

Summary of the most interesting changes:

  • New architectures: Sparc & SystemZ.

  • Important bugfixes for Arm, Arm64, Mips & X86.

  • Handle 3DNow instructions of X86.

  • Support for Microsoft Visual Studio (so Windows native compilation using MSVC is possible).

  • Cross-compile for Android.

  • Support SKIPDATA mode, so Capstone can jump over unknown data and keep going at the next legitimate instruction.

  • Python binding supports Python3.

  • X86 engine is now mature & handle all the malware tricks that we are aware of. If you have any code that Capstone wrongly processes, please report so we can fix them.


Further details are available in our Changelog


On a related news, Capstone now has NodeJS binding! This great work was created & maintained by Jason Oster.


Version 2.1.2

3
Apr
2014

We are happy to announce the stable version 2.1.2 of Capstone disassembly framework!

This fixes some bugs deep inside the core. There is no update to the API interface, so bindings of older version 2.1 are compatible, thus can still be used with this release.

Find the source code & precompiled binaries in the download section. See documentation for how to compile and install Capstone.

Highlights of the changes:

  • Support cross-compilation for all iDevices (iPhone/iPad/iPod).

  • X86: do not print memory offset in negative form.

  • Fix a bug in X86 when Capstone cannot handle short instruction.

  • Print negative numbers in range [-9, -1] without prefix 0x (arm64, mips, arm).

  • Correct the SONAME setup for library versioning on Linux, *BSD & Solaris.

  • Set library versioning for dylib of OSX.

  • Remove the redundant include/diet.h


NOTE

  • This release fixes the library versioning for Mac OSX, Linux, *BSD & Solaris. This might require recompiling tools compiled with prior Capstone - but there is no need to modify tools’ source whatsoever.

  • This version made no API change, so old bindings of release 2.1 still work just fine. The only exception is Python binding package for Windows in Download section: users still need to upgrade this as this package actually includes the new core engine 2.1.2 inside.


See the news archive for older posts.