Menu
▾
▴
capstone-users — Capstone mailing list for users
You can subscribe to this list here.
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(11) |
Dec
(11) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2014 |
Jan
(12) |
Feb
(3) |
Mar
(7) |
Apr
(4) |
May
(31) |
Jun
(2) |
Jul
(4) |
Aug
(2) |
Sep
(16) |
Oct
(13) |
Nov
(2) |
Dec
(25) |
| 2015 |
Jan
(28) |
Feb
(9) |
Mar
(7) |
Apr
(1) |
May
(3) |
Jun
(1) |
Jul
(3) |
Aug
(12) |
Sep
|
Oct
(11) |
Nov
(4) |
Dec
|
| 2016 |
Jan
(4) |
Feb
|
Mar
(8) |
Apr
|
May
(2) |
Jun
(2) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2017 |
Jan
|
Feb
(1) |
Mar
(3) |
Apr
(2) |
May
(4) |
Jun
(6) |
Jul
(9) |
Aug
(2) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(7) |
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
|
Oct
(2) |
Nov
(7) |
Dec
(2) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(5) |
Apr
(1) |
May
(1) |
Jun
(4) |
Jul
(6) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
(4) |
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(1) |
Aug
(3) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
|
From: Andreas A. <all...@gm...> - 2017-07-06 11:57:20
|
Hey, I'm new to capstone, and trying to get information about the operands of instructions. I'm using the python binding and tried the supplied example (http://www.capstone-engine.org/op_access.html) . The line: (regs_read, regs_write) = insn.regs_access() gives me: TypeError: 'NoneType' object is not callable Then I went through the code, trying to figure out the problem. I noticed that the CsInsn class has neither an attribute nor a method called regs_access. Does this mean that this feature is not yet implemented? Greetings, Andreas |
|
From: Nguyen A. Q. <aq...@gm...> - 2017-06-23 15:36:05
|
fixed, thanks! Quynh http://www.keystone-engine.org http://www.capstone-engine.org http://www.unicorn-engine.org On Fri, Jun 23, 2017 at 11:09 PM, Buella, Gabor <gab...@in...> wrote: > Hi, > > > > There is a link at http://www.capstone-engine.org/showcase.html which > points to https://github.com/GBuella/syscall_intercept , but that is a > fork in my personal repository. The canonical repository is at > https://github.com/pmem/syscall_intercept . > > ( this project only existed in my personal repo before, but now that it is > sort of mature, it is published under a corporate maintained repo ). > > > > Gábor > > --------------------------------------------------------------------- > > *Intel Technology Poland sp. z o.o.*ul. Słowackiego 173 | 80-298 > Gdańsk | Sąd Rejonowy Gdańsk Północ | VII Wydział > Gospodarczy Krajowego Rejestru Sądowego - KRS 101882 | NIP > 957-07-52-316 | Kapitał zakładowy 200.000 PLN. > > Ta wiadomość wraz z załącznikami jest przeznaczona dla > określonego adresata i może zawierać informacje poufne. W razie > przypadkowego otrzymania tej wiadomości, prosimy o powiadomienie > nadawcy oraz trwałe jej usunięcie; jakiekolwiek przeglądanie > lub rozpowszechnianie jest zabronione. > This e-mail and any attachments may contain confidential material for the > sole use of the intended recipient(s). If you are not the intended > recipient, please contact the sender and delete all copies; any review or > distribution by others is strictly prohibited. > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > |
|
From: Buella, G. <gab...@in...> - 2017-06-23 15:09:39
|
Hi, There is a link at http://www.capstone-engine.org/showcase.html which points to https://github.com/GBuella/syscall_intercept , but that is a fork in my personal repository. The canonical repository is at https://github.com/pmem/syscall_intercept . ( this project only existed in my personal repo before, but now that it is sort of mature, it is published under a corporate maintained repo ). Gábor -------------------------------------------------------------------- Intel Technology Poland sp. z o.o. ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN. Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione. This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by others is strictly prohibited. |
|
From: Jay O. <ja...@ko...> - 2017-06-09 00:53:51
|
Hi, 1. Indirect jumps are not impossible to trace with static analysis, but the best you can get is a subset of all possibilities (can't solve the halting problem). Since you are only analyzing the Linux kernel, the problem space is actually quite small in comparison to all possible ways that function pointers can flow through code paths. The simplest possible example is a jump table (like you might find compiled from switch statements) where all pointers are grouped somewhere in memory, and a reference to the table happens to be nearby the jump instruction. This is actually pretty easy to automate after some manual work deciphering the assembly patterns, and tracking the state necessary for reaching the jump table. Anyway, just throwing some ideas out there. 2. Function epilogues are funny things. You'll also find other strange cases like tail optimizations that that unconditionally jump to other subroutines. This is typical of code that performs a subroutine call in a return statement. It makes detection of function epilogues more work than just seeking ret instructions. One small tip; if you hit an unconditional jump and you got there without any conditional jumps over it, it's a good candidate to consider as the function epilogue. Take for example the pseudo instruction sequence below. It's logically impossible for the code following the *second* unconditional instruction to be part of the function. The first unconditional instruction is there to prove a point that conditional/unconditional is not a rule of thumb, but something to validate in a later pass. *prologue:* * add stack, 2* * mov stack[0], reg1* * mov reg1, 0* * jmp adr_1033* *addr_102a:* * add reg1, 1* *addr_1033:* * cmp reg1, reg0* * jne addr_102a* *epilogue:* * mov reg1, stack[0]* * sub stack, 2* * jmp addr_2d65* It's kind of x86-like pseudo assembly, but it should illustrate the point; `jmp addr_1033` unconditionally skips an add instruction, and `jmp addr_2d65` is the end of the function. It's the end of the function because it leaves the current "code block" in the address space. It's also obviously the end of the function because it deallocates stack space. But you might find different cases if you look hard enough. If you have multiple functions with the same function signature and stack allocation requirements, various compilers might choose to optimize for space and share the entire epilogue amongst multiple functions. These kind of things become much cleaner when the control flow is graphed, and individual function fragments are grouped by address into these "code blocks". The later passes of your analyzer can do this kind of work to clarify the unambiguous cases. FWIW, the idea that I provided in point (1) comes from a project I wrote like a decade ago for decompiling SNES ROM images. This is how I approached the problem in that environment: https://bitbucket.org/parasyte/snesrc/src/5cd4be0ab1a2aedcd612129f916ac224398ab990/emulate.c?at=default&fileviewer=file-view-default#emulate.c-380:442 The heuristic I used was seeking backward in memory for a pointer (address space check) that pointed at an array of pointers (more address range checks). It's not a very good heuristic. :) Today I would attempt to maintain state (e.g. try to resolve register and memory contents to some extent) to make an educated guess instead of the brute force method used in this old code! Good luck, fun stuff! Wish I could spend more time on these kinds of challenges. On Wed, Jun 7, 2017 at 6:24 AM, W. Michael Petullo <mi...@fl...> wrote: > We are working on a tool that must set breakpoints on various code paths > within the Linux kernel. We are investigating two techniques to do this, > one of which involves Capstone. Given the address of a kernel function, > we use Capstone to to follow the control flows and note their terminating > "ret" instructions. Essentially, we disassemble the code surrounding the > function and iterate through the instructions therein. If we find a jump, > then we follow it recursively, returning to continue linearly from the > location of the jump. > > We have come across two problems: > > (1) The kernel makes use of jumps where the operand is in a > register. These seem impossible to follow using static analysis. > Ten of the functions (out of hundreds) we wish to instrument exhibit this. > > (2) We have found that our version of the compiled kernel seems to > share return instructions across functions. This surprised us, and we > wonder whether it is due to some GCC optimization. (The symptom is > that our tool follows control flow as described, and it eventually > wants to set two "ret" breakpoints at the same address but for two > different functions.) We set out to try to determine if GCC had such > an optimization, but have not yet found anything conclusive. It sounds > like an interprocedural crossjump or tree-tail merge, but we have not > found documentation stating that these optimizations can indeed cross > procedures. > > Does anyone have any tips on how to handle (1)? Does there exist a C > library built on Capstone which helps apply a heuristic? > > Can anyone confirm that (2) might be the result of some GCC optimization? > > -- > Mike > > :wq > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > |
|
From: W. M. P. <mi...@fl...> - 2017-06-08 20:16:08
|
We are working on a tool that must set breakpoints on various code paths within the Linux kernel. We are investigating two techniques to do this, one of which involves Capstone. Given the address of a kernel function, we use Capstone to to follow the control flows and note their terminating "ret" instructions. Essentially, we disassemble the code surrounding the function and iterate through the instructions therein. If we find a jump, then we follow it recursively, returning to continue linearly from the location of the jump. We have come across two problems: (1) The kernel makes use of jumps where the operand is in a register. These seem impossible to follow using static analysis. Ten of the functions (out of hundreds) we wish to instrument exhibit this. (2) We have found that our version of the compiled kernel seems to share return instructions across functions. This surprised us, and we wonder whether it is due to some GCC optimization. (The symptom is that our tool follows control flow as described, and it eventually wants to set two "ret" breakpoints at the same address but for two different functions.) We set out to try to determine if GCC had such an optimization, but have not yet found anything conclusive. It sounds like an interprocedural crossjump or tree-tail merge, but we have not found documentation stating that these optimizations can indeed cross procedures. Does anyone have any tips on how to handle (1)? Does there exist a C library built on Capstone which helps apply a heuristic? Can anyone confirm that (2) might be the result of some GCC optimization? -- Mike :wq |
|
From: Nguyen A. Q. <aq...@gm...> - 2017-06-08 00:18:23
|
there are still some issues that i must fix. but i will release 3.0.5 this month. Thanks, Quynh http://www.keystone-engine.org http://www.capstone-engine.org http://www.unicorn-engine.org On Wed, Jun 7, 2017 at 1:25 AM, Jurriaan Bremer <jur...@gm...> wrote: > Hi Q, > > As I believe you've seen we're including Capstone (and Unicorn Engine, > btw) into Cuckoo Sandbox. However, I noticed an issue in 3.0.4 that > seems to have been resolved in 3.0.5rc2 already - namely that of > libcapstone.so being written to an incorrect directory. > That said, do you have an ETA on the 3.0.5 release for me? :-) > Thanks! > > Jurriaan > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > |
|
From: Jurriaan B. <jur...@gm...> - 2017-06-06 17:25:45
|
Hi Q, As I believe you've seen we're including Capstone (and Unicorn Engine, btw) into Cuckoo Sandbox. However, I noticed an issue in 3.0.4 that seems to have been resolved in 3.0.5rc2 already - namely that of libcapstone.so being written to an incorrect directory. That said, do you have an ETA on the 3.0.5 release for me? :-) Thanks! Jurriaan |
|
From: Nguyen A. Q. <aq...@gm...> - 2017-05-29 01:27:22
|
On Mon, May 29, 2017 at 3:42 AM, JonathonS <the...@gm...> wrote: > Hi, I've been trying use capstone to disassemble functions in memory (e.g. > printf, fread, etc.). Ideally, I'd like to see the function > prologue/epilogue as well as function body. > > I've been using this code here (https://toastedcornflakes. > github.io/articles/fuzzing_capstone_with_afl.html) as a starting point > but I haven't figured out how accomplish what I want. I am a bit confused > on what to provide cs_disasm. > > Here is what I a have: > > #include "capstone.h" > > int main(int argc, char** argv) { > csh handle; > cs_insn *insn; > size_t count; > uint8_t buf[128] = {0}; > > if (cs_open(CS_ARCH_ARM, CS_MODE_ARM, &handle) == CS_ERR_OK) { > count = cs_disasm(handle, buf, sizeof(buf), (uint64_t) printf, 0, &insn); > > // TODO: Print instructions > > cs_free(insn, count); > } > cs_close(&handle); > return 0;} > > However, when I run this code and when I print the instructions, I keep > getting > > andeq r0,r0,r0 > > which I guess is the equivalent of 0/no-op on ARM. This seems incorrect. > buf is an array full of 0, so this is expected, as 00 00 00 00 = NOP. what is wrong here? Thanks, Quynh http://www.keystone-engine.org http://www.capstone-engine.org http://www.unicorn-engine.org |
|
From: Jay O. <ja...@ko...> - 2017-05-28 21:21:51
|
See the documentation: http://www.capstone-engine.org/lang_c.html The arguments you need to pass are a pointer to the code and the size of the code buffer. Since your buffer is just a zeroed array, you're getting the expected behavior. The fourth arg is the disassembly location. It's not a pointer, just an integer. But you can use a pointer to disassemble code in memory. You want to use something like this: cs_disasm(handle, printf, 256, (uint64_t) printf, 0, &insn); Where the `256` is just a guess of the function size. On Sun, May 28, 2017 at 12:42 PM, JonathonS <the...@gm...> wrote: > Hi, I've been trying use capstone to disassemble functions in memory (e.g. > printf, fread, etc.). Ideally, I'd like to see the function > prologue/epilogue as well as function body. > > I've been using this code here (https://toastedcornflakes. > github.io/articles/fuzzing_capstone_with_afl.html) as a starting point > but I haven't figured out how accomplish what I want. I am a bit confused > on what to provide cs_disasm. > > Here is what I a have: > > #include "capstone.h" > > int main(int argc, char** argv) { > csh handle; > cs_insn *insn; > size_t count; > uint8_t buf[128] = {0}; > > if (cs_open(CS_ARCH_ARM, CS_MODE_ARM, &handle) == CS_ERR_OK) { > count = cs_disasm(handle, buf, sizeof(buf), (uint64_t) printf, 0, &insn); > > // TODO: Print instructions > > cs_free(insn, count); > } > cs_close(&handle); > return 0;} > > However, when I run this code and when I print the instructions, I keep > getting > > andeq r0,r0,r0 > > which I guess is the equivalent of 0/no-op on ARM. This seems incorrect. > > Thanks in advance for any help! > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > |
|
From: JonathonS <the...@gm...> - 2017-05-28 19:42:22
|
Hi, I've been trying use capstone to disassemble functions in memory (e.g. printf, fread, etc.). Ideally, I'd like to see the function prologue/epilogue as well as function body. I've been using this code here ( https://toastedcornflakes.github.io/articles/fuzzing_capstone_with_afl.html) as a starting point but I haven't figured out how accomplish what I want. I am a bit confused on what to provide cs_disasm. Here is what I a have: #include "capstone.h" int main(int argc, char** argv) { csh handle; cs_insn *insn; size_t count; uint8_t buf[128] = {0}; if (cs_open(CS_ARCH_ARM, CS_MODE_ARM, &handle) == CS_ERR_OK) { count = cs_disasm(handle, buf, sizeof(buf), (uint64_t) printf, 0, &insn); // TODO: Print instructions cs_free(insn, count); } cs_close(&handle); return 0;} However, when I run this code and when I print the instructions, I keep getting andeq r0,r0,r0 which I guess is the equivalent of 0/no-op on ARM. This seems incorrect. Thanks in advance for any help! |
|
From: Chris J. <ja...@ac...> - 2017-05-12 19:00:22
|
Hello All,
I am trying to use Capstone.NET from my C# program, and I failed just
running the unmodified basic example in Capstone.NET.
Making CapstoneCMD the startup project didn't work and it crashes at
runtime. I am not clear on the readme file.
Here are my questions:
What does X86 version of Capstone 3 mean? Is this about disassembling to
(target?) but I'm more interested in Arm64, not X86. Is this about the
machine running the program (host?)? My PC has a 64 processor, so both
X86_32 and X64 should be executable. What does bitness mean here? There is
only one version of C# and I build it for X86.
-Capstone.NET alone fails.
-capstone-3.0.5-rc2-win32>cstool.exe alone does NOT work on my machine,
-capstone-3.0.5-rc2-win64>cstool.exe alone seems to work.
-Adding either of 32 or 64 bit DLL ("capstone.dll") into Capstone.NET
fails, because those dll-s don’t do the PInvoke. Please explain why that
is necessary, I thought the base capstone.dll is only used indirectly from
Gee.External.Capstone.Proxy.dll and specialization is done there? The
nugget version looks like 2 years old.
I'm not only learning capstone, capstone.net, and the Arm ISA architecture;
I'm also just getting used to visual studio configuration and project
files. And another question: Could Capstone.NET be built and used with
Mono on Linux?
Thank you for your support,
Chris
Chris Jacobi
cj...@wh...
|
|
From: Nguyen A. Q. <aq...@gm...> - 2017-04-17 15:54:30
|
Hi,
Capstone disassembler just added TMS320C64X as the 10th architecture into
the next branch:
https://github.com/aquynh/capstone/tree/next
Thanks Fotis for this amazing work!
Thanks,
Quynh
http://www.keystone-engine.org
http://www.capstone-engine.org
http://www.unicorn-engine.org
|
|
From: Nguyen A. Q. <aq...@gm...> - 2017-04-12 15:06:37
|
A good news: PHP support for Capstone is now available! Let's welcome the
17th binding of our disassembler!
https://github.com/firodj/php-capstone
Thanks,
Quynh
http://www.keystone-engine.org
http://www.capstone-engine.org
http://www.unicorn-engine.org
|
|
From: Jay O. <ja...@ko...> - 2017-03-06 17:09:52
|
3.0.5-rc1 has 159 commits since 3.0.4, and 3.0.5-rc2 has 290! Wow, it might take a while to get node-capstone up-to-date with these changes. Looks like there are quite a few relevant. Nice work you've all been doing! Cheers, Jay On Mon, Mar 6, 2017 at 4:22 AM, Nguyen Anh Quynh <aq...@gm...> wrote: > To follow up: Python modules for Capstone 3.0.5-rc2 for both Win32 & Win64 > are now available in MSI format at http://www.capstone-engine. > org/download.html > > thanks to Andrew, the Pypi package is also updated to 3.0.5-rc2. you can > install Python module of Capstone for Linux & Windows from command line > with "pip install capstone" > > > > Thanks, > Quynh > > http://www.keystone-engine.org > http://www.capstone-engine.org > http://www.unicorn-engine.org > > > > On Fri, Mar 3, 2017 at 12:26 AM, Nguyen Anh Quynh <aq...@gm...> > wrote: > >> hi, >> >> we are very happy to announce Capstone Disassembler Engine 3.0.5-RC2! >> >> this release candidate version is the result of 1.5 year of development, >> with a lot of contribution from community. we fixed many important issues >> (security included), significantly improved the core and all the bindings. >> >> the source code & Windows precompiled binaries are now available at >> http://www.capstone-engine.org/Version-3.0.5-RC2. also see the above >> link for the important changes since v3.0.4. >> >> we plan is to release v3.0.5 after some more tests. if you find any >> issues, please report. >> >> >> thanks, >> Quynh >> >> http://www.keystone-engine.org >> http://www.capstone-engine.org >> http://www.unicorn-engine.org >> >> >> > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > |
|
From: Nguyen A. Q. <aq...@gm...> - 2017-03-06 12:23:04
|
To follow up: Python modules for Capstone 3.0.5-rc2 for both Win32 & Win64 are now available in MSI format at http://www.capstone-engine.org/download.html thanks to Andrew, the Pypi package is also updated to 3.0.5-rc2. you can install Python module of Capstone for Linux & Windows from command line with "pip install capstone" Thanks, Quynh http://www.keystone-engine.org http://www.capstone-engine.org http://www.unicorn-engine.org On Fri, Mar 3, 2017 at 12:26 AM, Nguyen Anh Quynh <aq...@gm...> wrote: > hi, > > we are very happy to announce Capstone Disassembler Engine 3.0.5-RC2! > > this release candidate version is the result of 1.5 year of development, > with a lot of contribution from community. we fixed many important issues > (security included), significantly improved the core and all the bindings. > > the source code & Windows precompiled binaries are now available at > http://www.capstone-engine.org/Version-3.0.5-RC2. also see the above link > for the important changes since v3.0.4. > > we plan is to release v3.0.5 after some more tests. if you find any > issues, please report. > > > thanks, > Quynh > > http://www.keystone-engine.org > http://www.capstone-engine.org > http://www.unicorn-engine.org > > > |
|
From: Nguyen A. Q. <aq...@gm...> - 2017-03-02 16:26:32
|
hi, we are very happy to announce Capstone Disassembler Engine 3.0.5-RC2! this release candidate version is the result of 1.5 year of development, with a lot of contribution from community. we fixed many important issues (security included), significantly improved the core and all the bindings. the source code & Windows precompiled binaries are now available at http://www.capstone-engine.org/Version-3.0.5-RC2. also see the above link for the important changes since v3.0.4. we plan is to release v3.0.5 after some more tests. if you find any issues, please report. thanks, Quynh http://www.keystone-engine.org http://www.capstone-engine.org http://www.unicorn-engine.org |
|
From: Nguyen A. Q. <aq...@gm...> - 2017-02-04 16:05:12
|
hi,
somebody (Alex) from our community just released a new web-based tool that
let you emulate CPU of X86, Arm, Arm64 & Mips in web browser! this is
excited and unique, as it uses all of our frameworks Capstone, Unicorn &
Keystone.
https://alexaltea.github.io/unicorn.js/index.html
at the same time, we are moving towards the next releases of both Unicorn
(v1.0) & Capstone (v3.0.5), all come with lots of bugfixes & improvement.
please help to test & report bugs before they are out.
thanks,
Quynh
http://www.keystone-engine.org
http://www.capstone-engine.org
http://www.unicorn-engine.org
|
|
From: d wk <dw...@gm...> - 2016-11-29 02:43:47
|
Hi, I am trying to determine the operand size in x86 jump
instructions. For instance, given
0x1000: 0x74 0x20 => je 0x1022
then I would like to know that this is a short jump with a 1-byte
operand. But capstone says that this operand is 8 bytes on x86_64 and
4 bytes on x86 (the output of test_x86 on this instruction is attached
below). Any suggestions on getting the actual operand size present in
the original encoding?
What I'm actually trying to do is re-emit the same instruction with
the same encoding size, but a potentially adjusted operand value. So I
need to figure out which bytes correspond to the instruction opcodes
and output those while replacing the bytes that correspond with the
original jump displacement.
Thanks,
David
****************
Platform: X86 32 (Intel syntax)
Code:0x74 0x20
Disasm:
0x1000: je 0x1022
Prefix:0x00 0x00 0x00 0x00
Opcode:0x74 0x00 0x00 0x00
rex: 0x0
addr_size: 4
modrm: 0x0
disp: 0x0
sib: 0x0
imm_count: 1
imms[1]: 0x1022
op_count: 1
operands[0].type: IMM = 0x1022
operands[0].size: 4
0x1002:
****************
Platform: X86 64 (Intel syntax)
Code:0x74 0x20
Disasm:
0x1000: je 0x1022
Prefix:0x00 0x00 0x00 0x00
Opcode:0x74 0x00 0x00 0x00
rex: 0x0
addr_size: 8
modrm: 0x0
disp: 0x0
sib: 0x0
imm_count: 1
imms[1]: 0x1022
op_count: 1
operands[0].type: IMM = 0x1022
operands[0].size: 8
0x1002:
|
|
From: Nguyen A. Q. <aq...@gm...> - 2016-07-26 15:19:57
|
hi, we are happy to announce a stable release of Capstone, version 3.0.5-rc1! this maintenance version just fixes some issues deep in the core, make some improvements on packages & installation, but causes no compatibility issue with current code running with version 3.0.4 find more details on this version at https://github.com/aquynh/capstone/releases/tag/3.0.5-rc1 if you find any issues, please report! thanks, Quynh http://www.keystone-engine.org http://www.capstone-engine.org http://www.unicorn-engine.org |
|
From: Nguyen A. Q. <aq...@gm...> - 2016-06-30 08:23:13
|
sorry you have to build all these things yourself, as Capstone only provides a low-level framework to decode binary back to assembly instructions. most (if not all) of things you want to do have been implemented here and there, in different tools. take a look at existing apps built on top of Capstone here: http://www.capstone-engine.org/showcase.html Thanks, Quynh http://www.keystone-engine.org http://www.capstone-engine.org http://www.unicorn-engine.org On Sat, Jun 4, 2016 at 2:31 AM, Pedro Ribeiro <pe...@gm...> wrote: > Hi, > > I want to build a prototype automatic exploit generator for MIPS firmware. > > One of the first steps is to do the following: > - Find a string in a binary firmware image > - Find all references to that string > - Disassemble the 3 instructions after the string is referenced > - Locate the target instruction and extract a variable location from it > > I have limited understanding (bear with me...) but from the way IDA > works, I always need to specify a base image address, else the string > cross references won't be found. > > Is this possible / easy to do in capstone? Where would I start? > > Regards, > Pedro > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and protocols > are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > |
|
From: Pedro R. <pe...@gm...> - 2016-06-03 18:31:24
|
Hi, I want to build a prototype automatic exploit generator for MIPS firmware. One of the first steps is to do the following: - Find a string in a binary firmware image - Find all references to that string - Disassemble the 3 instructions after the string is referenced - Locate the target instruction and extract a variable location from it I have limited understanding (bear with me...) but from the way IDA works, I always need to specify a base image address, else the string cross references won't be found. Is this possible / easy to do in capstone? Where would I start? Regards, Pedro |
|
From: Nguyen A. Q. <aq...@gm...> - 2016-05-25 17:07:56
|
On Thu, May 26, 2016 at 12:59 AM, STaTeoFMiND <abu...@gm...> wrote: > hello list, > > I am a new capstone user, I am just looking for an example on how to have > disassembled code divided in basic block from a binary code. I am wondering > if I need to divide manually each block on branch instructions or capstone > can do it directly? > if so, there is a sample code for it? > for a quick start, you can decode from the entry point, then when you see the branches, follow them and continue from the target addresses. you can find a lot of examples at http://www.capstone-engine.org/showcase.html. go thru the list and pick some simple small project and read the code to see how to do what you want. cheers, Quynh http://www.keystone-engine.org http://www.capstone-engine.org http://www.unicorn-engine.org > > thanks in advance, > abux > > > -- > Bug is not a problem, it is a feature. > > > ------------------------------------------------------------------------------ > Mobile security can be enabling, not merely restricting. Employees who > bring their own devices (BYOD) to work are irked by the imposition of MDM > restrictions. Mobile Device Manager Plus allows you to control only the > apps on BYO-devices by containerizing them, leaving personal data > untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > |
|
From: STaTeoFMiND <abu...@gm...> - 2016-05-25 16:59:14
|
hello list, I am a new capstone user, I am just looking for an example on how to have disassembled code divided in basic block from a binary code. I am wondering if I need to divide manually each block on branch instructions or capstone can do it directly? if so, there is a sample code for it? thanks in advance, abux -- Bug is not a problem, it is a feature. |
|
From: Nguyen A. Q. <aq...@gm...> - 2016-03-31 02:01:20
|
On Thu, Mar 31, 2016 at 6:48 AM, farmdve <fa...@gm...> wrote: > Please, I beg of you, support the MASM syntax! > > That is a good idea. Masm syntax can be added if I have enough time. Thanks. > On 30 March 2016 at 20:10, Nguyen Anh Quynh <aq...@gm...> wrote: > >> Dear Capstone/Unicorn users, >> >> We have passed the initial funding goal on IndieGogo in just 1 week! >> Thanks a lot to everybody who believed in this project and supported us, >> you are awesome! >> >> With about 10 more days to go, we decided to set out a new stretch goal >> of $15000 to do support more assembly syntaxes such as GNU Gas & Nasm. >> More information is available at >> http://www.keystone-engine.org/indiegogo2 >> >> Please help to spread the news, and support our campaign: >> https://igg.me/at/keystone/ >> >> Thanks, >> Quynh >> >> http://www.keystone-engine.org >> http://www.capstone-engine.org >> http://www.unicorn-engine.org >> >> >> >> On Thu, Mar 17, 2016 at 11:10 PM, Nguyen Anh Quynh <aq...@gm...> >> wrote: >> >>> Dear Capstone/Unicorn users, >>> >>> We are very excited to announce our IndieGogo campaign for Keystone >>> Engine, the next-gen assembler framework! >>> >>> Find more information at our IndieGogo page at >>> https://igg.me/at/keystone/, and our homepage at >>> http://www.keystone-engine.org >>> >>> After Capstone & Unicorn, Keystone is the latest of our on-going effort >>> to bring better tools to the reverse-engineering community. Now with the >>> final missing piece Keystone, we complete the magical trilogy of >>> disassembler - emulator - assembler. >>> >>> Come support us, and help to spread the news, so together we can solve >>> the lingering problem of missing the assembler framework once, and for all! >>> >>> The Keystone name came from some private conversation with Felix “FX” >>> Lindner. Thanks for such a great inspiration, FX! >>> >>> Best, >>> Quynh >>> >>> http://www.capstone-engine.org >>> http://www.unicorn-engine.org >>> http://www.keystone-engine.org >>> >> >> > > > ------------------------------------------------------------------------------ > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140 > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > |
|
From: farmdve <fa...@gm...> - 2016-03-30 22:48:26
|
Please, I beg of you, support the MASM syntax! On 30 March 2016 at 20:10, Nguyen Anh Quynh <aq...@gm...> wrote: > Dear Capstone/Unicorn users, > > We have passed the initial funding goal on IndieGogo in just 1 week! > Thanks a lot to everybody who believed in this project and supported us, > you are awesome! > > With about 10 more days to go, we decided to set out a new stretch goal of > $15000 to do support more assembly syntaxes such as GNU Gas & Nasm. > More information is available at http://www.keystone-engine.org/indiegogo2 > > Please help to spread the news, and support our campaign: > https://igg.me/at/keystone/ > > Thanks, > Quynh > > http://www.keystone-engine.org > http://www.capstone-engine.org > http://www.unicorn-engine.org > > > > On Thu, Mar 17, 2016 at 11:10 PM, Nguyen Anh Quynh <aq...@gm...> > wrote: > >> Dear Capstone/Unicorn users, >> >> We are very excited to announce our IndieGogo campaign for Keystone >> Engine, the next-gen assembler framework! >> >> Find more information at our IndieGogo page at >> https://igg.me/at/keystone/, and our homepage at >> http://www.keystone-engine.org >> >> After Capstone & Unicorn, Keystone is the latest of our on-going effort >> to bring better tools to the reverse-engineering community. Now with the >> final missing piece Keystone, we complete the magical trilogy of >> disassembler - emulator - assembler. >> >> Come support us, and help to spread the news, so together we can solve >> the lingering problem of missing the assembler framework once, and for all! >> >> The Keystone name came from some private conversation with Felix “FX” >> Lindner. Thanks for such a great inspiration, FX! >> >> Best, >> Quynh >> >> http://www.capstone-engine.org >> http://www.unicorn-engine.org >> http://www.keystone-engine.org >> > > |
