capstone-users — Capstone mailing list for users

Re: [Capstone-users] Epic binary to LLVM framework

[Nguyen A. Q. <aq...@gm...>]

On Sat, Aug 22, 2015 at 3:06 AM, Timothy M Jones <tim...@cl...
> wrote:

> On 21/08/2015 09:08, Nguyen Anh Quynh wrote:
> > On Fri, Aug 21, 2015 at 3:45 AM, Timothy M Jones
> > <tim...@cl... <mailto:tim...@cl...>> wrote:
> >
> >     Hello,
> >
> >     I was reading on slide 47 of this presentation
> >     (http://www.capstone-engine.org/BHUSA2014-capstone.pdf) about the
> Epic
> >     framework to translate binaries to LLVM bitcode.  Could you tell me
> >     whether this is an actual project that is publicly available and, if
> so,
> >     where I can get it from?
> >
> >
> > this project is real, but it is not public yet.
>
> Thanks very much for the information.  Do you plan to release it and, if
> so, do you have a potential time-frame in mind?  We are using Capstone
> for an existing project,


great, let us know when your project is public, so we will link to it:

    http://www.capstone-engine.org/showcase.html


> but would really like to be able to use LLVM
> for a new project that will start next year.
>

no there is time frame  for that yet.

will update you when that is ready.

thanks.
Quynh

Re: [Capstone-users] Epic binary to LLVM framework

[Timothy M J. <tim...@cl...>]

On 21/08/2015 09:08, Nguyen Anh Quynh wrote:
> On Fri, Aug 21, 2015 at 3:45 AM, Timothy M Jones
> <tim...@cl... <mailto:tim...@cl...>> wrote:
>
>     Hello,
>
>     I was reading on slide 47 of this presentation
>     (http://www.capstone-engine.org/BHUSA2014-capstone.pdf) about the Epic
>     framework to translate binaries to LLVM bitcode.  Could you tell me
>     whether this is an actual project that is publicly available and, if so,
>     where I can get it from?
>
>
> this project is real, but it is not public yet.

Thanks very much for the information.  Do you plan to release it and, if 
so, do you have a potential time-frame in mind?  We are using Capstone 
for an existing project, but would really like to be able to use LLVM 
for a new project that will start next year.

Best wishes
Tim

-- 
Timothy M. Jones
http://www.cl.cam.ac.uk/~tmj32/

Re: [Capstone-users] Epic binary to LLVM framework

[Nguyen A. Q. <aq...@gm...>]

On Fri, Aug 21, 2015 at 3:45 AM, Timothy M Jones <tim...@cl...
> wrote:

> Hello,
>
> I was reading on slide 47 of this presentation
> (http://www.capstone-engine.org/BHUSA2014-capstone.pdf) about the Epic
> framework to translate binaries to LLVM bitcode.  Could you tell me
> whether this is an actual project that is publicly available and, if so,
> where I can get it from?
>
>
this project is real, but it is not public yet.

thanks,
Q

[Capstone-users] Epic binary to LLVM framework

[Timothy M J. <tim...@cl...>]

Hello,

I was reading on slide 47 of this presentation 
(http://www.capstone-engine.org/BHUSA2014-capstone.pdf) about the Epic 
framework to translate binaries to LLVM bitcode.  Could you tell me 
whether this is an actual project that is publicly available and, if so, 
where I can get it from?

Thanks
Tim

-- 
Timothy M. Jones
http://www.cl.cam.ac.uk/~tmj32/

Re: [Capstone-users] sharedObject Files

[Philipp R. <phi...@si...>]

Hi aquynh, Jay and derrek,

thanks a lot for your help, it's much appreciated! I checked out the 
"next branch" and adapted the Java bindings. So I am able to use the 
skipdata mode and it works perfectly. It's exactly the thing I was 
looking for!

Thanks!
Philipp

On 19.08.2015 20:30, Jay Oster wrote:
> Tip: Use Capstone's skipdata mode to handle these situations:
> http://www.capstone-engine.org/skipdata.html
>
> On Wed, Aug 19, 2015 at 7:21 AM, Nguyen Anh Quynh <aq...@gm...
> <mailto:aq...@gm...>> wrote:
>
>
>
>     On Wed, Aug 19, 2015 at 8:19 PM, Philipp Roskosch
>     <phi...@si...
>     <mailto:phi...@si...>> wrote:
>
>         Hi again,
>
>         I investigated my shared-object file a little bit more with
>         different
>         tools which are using capstone. On www.CEnigma.org
>         <http://www.CEnigma.org> my problem can be
>         reproduced:
>
>         Settings: Arm, Little Endian
>         Code: 04 00 9F E5 00 00 8F E0  E7 FF FF EA C8 23 00 00
>         00 00 50 E3 08 40 2D E9  08 80 BD 08 30 FF 2F E1
>         08 80 BD E8 00 10 A0 E1  0C 20 9F E5 0C 00 9F E5
>         02 20 8F E0 00 00 8F E0  D8 FF FF EA 9C 23 00 00
>         D4 FF FF FF 08 B5 03 48  78 44 00 F0 4F FF 01 20
>         08 BD C0 46 70 11 00 00  03 68 00 B5 5A 00 03 D5
>
>         After the instruction "D4 FF FF FF" the output just stops. Move this
>         instruction to the beginning and it tells you "Error: Failed to
>         disassemble! Invalid input?".
>
>
>     D4 FF FF FF is not a valid instruction, so you need to look closer
>     into your binary file.
>
>     the reason is that your assumption that bytes come from .text must
>     be code is wrong.
>
>
>     thanks.
>
>
>
>         I do not know if this is a bug or working as intended. Fact is that
>         these byte sequence is present in my shared object file's .text
>         section.
>         It is a sharedObject file created with the Android NDK.
>
>
>     the reason is that your assumption that bytes come from .text must
>     be code is wrong.
>     you can always find in .text section data & rubbish.
>
>
>     thanks.
>
>         Any comments or suggestions on this?
>
>         Thanks!
>         Philipp
>
>         On 14.08.2015 15:35, Philipp Roskosch wrote:
>         > Hello,
>         >
>         > I am trying to reverse native libraries for Android (ARM). I used
>         > capstone (with java) and disassembled ARM executables which worked very
>         > good. Doing the same thing with a shared library (created with the
>         > Android NDK) isn't working. Capstone only returns the code for the first
>         > function and ignores all following commands. Am I missing something?
>         >
>         > Thanks!
>         >
>         > ------------------------------------------------------------------------------
>         > _______________________________________________
>         > Capstone-users mailing list
>         >Cap...@li...
>         <mailto:Cap...@li...>
>         >https://lists.sourceforge.net/lists/listinfo/capstone-users
>         >
>
>         ------------------------------------------------------------------------------
>         _______________________________________________
>         Capstone-users mailing list
>         Cap...@li...
>         <mailto:Cap...@li...>
>         https://lists.sourceforge.net/lists/listinfo/capstone-users
>
>
>
>     ------------------------------------------------------------------------------
>
>     _______________________________________________
>     Capstone-users mailing list
>     Cap...@li...
>     <mailto:Cap...@li...>
>     https://lists.sourceforge.net/lists/listinfo/capstone-users
>
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Capstone-users mailing list
> Cap...@li...
> https://lists.sourceforge.net/lists/listinfo/capstone-users
>

Re: [Capstone-users] sharedObject Files

[derrek <der...@ya...>]

 Hi Philipp,
as Nguyen Anh Quynh already said, a .text section contains both, executable instructions anddata (e.g. data pools used by functions). If you are reading the disassembly of your code you will noticePC-relative reads which load constants from such a data pool. Some of this data might be executablein theory, but when looking at your code again you will see an unconditional branch instruction rightbefore the start of that pool, so execution actually never flows into that part of the binary.



 Regards,-derrek

 

On Wed, Aug 19, 2015 at 8:19 PM, Philipp Roskosch <phi...@si...> wrote:

Hi again,

I investigated my shared-object file a little bit more with different
tools which are using capstone. On www.CEnigma.org my problem can be
reproduced:

Settings: Arm, Little Endian
Code: 04 00 9F E5 00 00 8F E0  E7 FF FF EA C8 23 00 00
00 00 50 E3 08 40 2D E9  08 80 BD 08 30 FF 2F E1
08 80 BD E8 00 10 A0 E1  0C 20 9F E5 0C 00 9F E5
02 20 8F E0 00 00 8F E0  D8 FF FF EA 9C 23 00 00
D4 FF FF FF 08 B5 03 48  78 44 00 F0 4F FF 01 20
08 BD C0 46 70 11 00 00  03 68 00 B5 5A 00 03 D5

After the instruction "D4 FF FF FF" the output just stops. Move this
instruction to the beginning and it tells you "Error: Failed to
disassemble! Invalid input?".


D4 FF FF FF is not a valid instruction, so you need to look closer into your binary file.

the reason is that your assumption that bytes come from .text must be code is wrong.


thanks.




I do not know if this is a bug or working as intended. Fact is that
these byte sequence is present in my shared object file's .text section.
It is a sharedObject file created with the Android NDK.



the reason is that your assumption that bytes come from .text must be code is wrong.
you can always find in .text section data & rubbish.


thanks.

 
Any comments or suggestions on this?

Thanks!
Philipp

On 14.08.2015 15:35, Philipp Roskosch wrote:
> Hello,
>
> I am trying to reverse native libraries for Android (ARM). I used
> capstone (with java) and disassembled ARM executables which worked very
> good. Doing the same thing with a shared library (created with the
> Android NDK) isn't working. Capstone only returns the code for the first
> function and ignores all following commands. Am I missing something?
>
> Thanks!
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Capstone-users mailing list
> Cap...@li...
> https://lists.sourceforge.net/lists/listinfo/capstone-users
>

------------------------------------------------------------------------------
_______________________________________________
Capstone-users mailing list
Cap...@li...
https://lists.sourceforge.net/lists/listinfo/capstone-users



------------------------------------------------------------------------------

_______________________________________________
Capstone-users mailing list
Cap...@li...
https://lists.sourceforge.net/lists/listinfo/capstone-users


  

Re: [Capstone-users] sharedObject Files

[Jay O. <ja...@ko...>]

Tip: Use Capstone's skipdata mode to handle these situations:
http://www.capstone-engine.org/skipdata.html

On Wed, Aug 19, 2015 at 7:21 AM, Nguyen Anh Quynh <aq...@gm...> wrote:

>
>
> On Wed, Aug 19, 2015 at 8:19 PM, Philipp Roskosch <
> phi...@si...> wrote:
>
>> Hi again,
>>
>> I investigated my shared-object file a little bit more with different
>> tools which are using capstone. On www.CEnigma.org my problem can be
>> reproduced:
>>
>> Settings: Arm, Little Endian
>> Code: 04 00 9F E5 00 00 8F E0  E7 FF FF EA C8 23 00 00
>> 00 00 50 E3 08 40 2D E9  08 80 BD 08 30 FF 2F E1
>> 08 80 BD E8 00 10 A0 E1  0C 20 9F E5 0C 00 9F E5
>> 02 20 8F E0 00 00 8F E0  D8 FF FF EA 9C 23 00 00
>> D4 FF FF FF 08 B5 03 48  78 44 00 F0 4F FF 01 20
>> 08 BD C0 46 70 11 00 00  03 68 00 B5 5A 00 03 D5
>>
>> After the instruction "D4 FF FF FF" the output just stops. Move this
>> instruction to the beginning and it tells you "Error: Failed to
>> disassemble! Invalid input?".
>>
>
> D4 FF FF FF is not a valid instruction, so you need to look closer into
> your binary file.
>
> the reason is that your assumption that bytes come from .text must be code
> is wrong.
>
>
> thanks.
>
>
>
>> I do not know if this is a bug or working as intended. Fact is that
>> these byte sequence is present in my shared object file's .text section.
>> It is a sharedObject file created with the Android NDK.
>>
>>
> the reason is that your assumption that bytes come from .text must be code
> is wrong.
> you can always find in .text section data & rubbish.
>
>
> thanks.
>
>
>
>> Any comments or suggestions on this?
>>
>> Thanks!
>> Philipp
>>
>> On 14.08.2015 15:35, Philipp Roskosch wrote:
>> > Hello,
>> >
>> > I am trying to reverse native libraries for Android (ARM). I used
>> > capstone (with java) and disassembled ARM executables which worked very
>> > good. Doing the same thing with a shared library (created with the
>> > Android NDK) isn't working. Capstone only returns the code for the first
>> > function and ignores all following commands. Am I missing something?
>> >
>> > Thanks!
>> >
>> >
>> ------------------------------------------------------------------------------
>> > _______________________________________________
>> > Capstone-users mailing list
>> > Cap...@li...
>> > https://lists.sourceforge.net/lists/listinfo/capstone-users
>> >
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Capstone-users mailing list
>> Cap...@li...
>> https://lists.sourceforge.net/lists/listinfo/capstone-users
>>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Capstone-users mailing list
> Cap...@li...
> https://lists.sourceforge.net/lists/listinfo/capstone-users
>
>

Re: [Capstone-users] sharedObject Files

[Nguyen A. Q. <aq...@gm...>]

On Wed, Aug 19, 2015 at 8:19 PM, Philipp Roskosch <
phi...@si...> wrote:

> Hi again,
>
> I investigated my shared-object file a little bit more with different
> tools which are using capstone. On www.CEnigma.org my problem can be
> reproduced:
>
> Settings: Arm, Little Endian
> Code: 04 00 9F E5 00 00 8F E0  E7 FF FF EA C8 23 00 00
> 00 00 50 E3 08 40 2D E9  08 80 BD 08 30 FF 2F E1
> 08 80 BD E8 00 10 A0 E1  0C 20 9F E5 0C 00 9F E5
> 02 20 8F E0 00 00 8F E0  D8 FF FF EA 9C 23 00 00
> D4 FF FF FF 08 B5 03 48  78 44 00 F0 4F FF 01 20
> 08 BD C0 46 70 11 00 00  03 68 00 B5 5A 00 03 D5
>
> After the instruction "D4 FF FF FF" the output just stops. Move this
> instruction to the beginning and it tells you "Error: Failed to
> disassemble! Invalid input?".
>

D4 FF FF FF is not a valid instruction, so you need to look closer into
your binary file.

the reason is that your assumption that bytes come from .text must be code
is wrong.


thanks.



> I do not know if this is a bug or working as intended. Fact is that
> these byte sequence is present in my shared object file's .text section.
> It is a sharedObject file created with the Android NDK.
>
>
the reason is that your assumption that bytes come from .text must be code
is wrong.
you can always find in .text section data & rubbish.


thanks.



> Any comments or suggestions on this?
>
> Thanks!
> Philipp
>
> On 14.08.2015 15:35, Philipp Roskosch wrote:
> > Hello,
> >
> > I am trying to reverse native libraries for Android (ARM). I used
> > capstone (with java) and disassembled ARM executables which worked very
> > good. Doing the same thing with a shared library (created with the
> > Android NDK) isn't working. Capstone only returns the code for the first
> > function and ignores all following commands. Am I missing something?
> >
> > Thanks!
> >
> >
> ------------------------------------------------------------------------------
> > _______________________________________________
> > Capstone-users mailing list
> > Cap...@li...
> > https://lists.sourceforge.net/lists/listinfo/capstone-users
> >
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Capstone-users mailing list
> Cap...@li...
> https://lists.sourceforge.net/lists/listinfo/capstone-users
>

Re: [Capstone-users] sharedObject Files

[Philipp R. <phi...@si...>]

Hi again,

I investigated my shared-object file a little bit more with different 
tools which are using capstone. On www.CEnigma.org my problem can be 
reproduced:

Settings: Arm, Little Endian
Code: 04 00 9F E5 00 00 8F E0  E7 FF FF EA C8 23 00 00
00 00 50 E3 08 40 2D E9  08 80 BD 08 30 FF 2F E1
08 80 BD E8 00 10 A0 E1  0C 20 9F E5 0C 00 9F E5
02 20 8F E0 00 00 8F E0  D8 FF FF EA 9C 23 00 00
D4 FF FF FF 08 B5 03 48  78 44 00 F0 4F FF 01 20
08 BD C0 46 70 11 00 00  03 68 00 B5 5A 00 03 D5

After the instruction "D4 FF FF FF" the output just stops. Move this 
instruction to the beginning and it tells you "Error: Failed to 
disassemble! Invalid input?".

I do not know if this is a bug or working as intended. Fact is that 
these byte sequence is present in my shared object file's .text section.
It is a sharedObject file created with the Android NDK.

Any comments or suggestions on this?

Thanks!
Philipp

On 14.08.2015 15:35, Philipp Roskosch wrote:
> Hello,
>
> I am trying to reverse native libraries for Android (ARM). I used
> capstone (with java) and disassembled ARM executables which worked very
> good. Doing the same thing with a shared library (created with the
> Android NDK) isn't working. Capstone only returns the code for the first
> function and ignores all following commands. Am I missing something?
>
> Thanks!
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Capstone-users mailing list
> Cap...@li...
> https://lists.sourceforge.net/lists/listinfo/capstone-users
>

[Capstone-users] sharedObject Files

[Philipp R. <phi...@si...>]

Hello,

I am trying to reverse native libraries for Android (ARM). I used 
capstone (with java) and disassembled ARM executables which worked very 
good. Doing the same thing with a shared library (created with the 
Android NDK) isn't working. Capstone only returns the code for the first 
function and ignores all following commands. Am I missing something?

Thanks!

[Capstone-users] Capstone on Android

[James H. <sei...@go...>]

Hello,

While playing around with Capstone, I was wondering if I could utilize this
great library on Android devices. I've cross-compiled to armeabi, however I
don't seem able to use the Java bindings (it comes back with a missing
class error, RE Capstone$CS).

Is it possible to use the Java bindings on Android, or would I need to
create my own JNI layer using the NDK, which imports the Capstone library
and handles communication through to Java?

Thanks,
James H

[Capstone-users] BHUSA 2015

[Nguyen A. Q. <aq...@gm...>]

hi,

We are leaving for BlackHat USA very soon. Our presentation at BlackHat USA
will be on August 5th, 10:20 - 11:10, in room "South Seas IJ".

Anybody here is also visiting BH? Would love to see some Capstone users
there!

Cheers,
Quynh

[Capstone-users] Capstone needs your helps!

[Nguyen A. Q. <aq...@gm...>]

Greetings,

Capstone is an open source project that is maintained & developed in our
spare time. It is totally free, and so far we have never received a single
cent from donation or sponsor.

However, we are realizing that to keep up with the increasing demand of
community & push Capstone to another level, we need more helps from
community.

For this reason, we are now receiving donation for Capstone.

You can either donate via Paypal or send us Bitcoins.

    Paypal email: cap...@gm...
    Bitcoin: 1fGz2GYSjiJxUoACpsHXcGmaAhbEDTuWi


All the donation will be used to improve Capstone. Some priorities are:

- Get a professional designer to make a better logo that Capstone deserves
to have.
- Have the current website redesigned to be more friendly & efficient.
- Give rewards to those who are willing to work on our outstanding works
(such as this), so we can release the next versions faster.
- Add more features requested by a lot of users, like having new
architectures such as Hexagon.

More information is available at http://www.capstone-engine.org/donate.html

Many thanks for your support,
Quynh

Re: [Capstone-users] Capstone disassembly engine 3.0.4 is out!

[Nguyen A. Q. <aq...@gm...>]

hi,

currently SourceForge is down, and because our website is hosted there,
we can do nothing but wait for it to be restored (by SF).

meanwhile, you can use our backup website at
http://capstone-engine.github.io/

cheers,
Quynh



On Wed, Jul 15, 2015 at 10:30 PM, Nguyen Anh Quynh <aq...@gm...> wrote:

> Greetings,
>
> We are excited to announce version 3.0.4 of Capstone disassembly framework!
>
> This stable release fixes some potential security issues in the core, so
> existing users are strongly recommended to upgrade.
>
> Summary of important changes in v3.0.4:
>
> - Fixed memory corruption bugs of X86, Arm, Mips, PowerPC & XCore
> architectures.
> - Properly handle some X86 instructions: OUT, SSE.
> - Improve Python binding with more installation options.
> - Improve cross compile for Android.
>
> More details are available at
> http://capstone-engine.org/Version-3.0.4.html
>
> (For those who do not know, Capstone is an open source multi-arch,
> multi-platform disassembly engine with homepage at
> http://capstone-engine.org)
>
>
> Thanks,
> Quynh
>
>

[Capstone-users] Capstone disassembly engine 3.0.4 is out!

[Nguyen A. Q. <aq...@gm...>]

Greetings,

We are excited to announce version 3.0.4 of Capstone disassembly framework!

This stable release fixes some potential security issues in the core, so
existing users are strongly recommended to upgrade.

Summary of important changes in v3.0.4:

- Fixed memory corruption bugs of X86, Arm, Mips, PowerPC & XCore
architectures.
- Properly handle some X86 instructions: OUT, SSE.
- Improve Python binding with more installation options.
- Improve cross compile for Android.

More details are available at http://capstone-engine.org/Version-3.0.4.html

(For those who do not know, Capstone is an open source multi-arch,
multi-platform disassembly engine with homepage at
http://capstone-engine.org)


Thanks,
Quynh

[Capstone-users] A free student pass for Blackhat USA 2015

[Nguyen A. Q. <aq...@gm...>]

hi,

i am going to give a talk in the next BHUSA 2015 in early August. this year
BH gives each speaker 2 complementary student passes for free. if anybody
here is student, wants to & can attend BH, please contact me ASAP to
register for this free pass.

the condition to get this free pass is at "Students" section in
https://www.blackhat.com/us-15/registration.html#academic

NOTE: this is only the entrance ticket to BH events, and students still
need to cover themselves for travel & accommodation fee.

(this is on first come - first serve basis)

thanks,
Quynh

Re: [Capstone-users] epic: bin to llvm

[Nguyen A. Q. <aq...@gm...>]

On Tue, May 26, 2015 at 2:10 AM, Peter Matula <p3t...@gm...>
wrote:

>  Hello,
> I was looking at "Blackhat USA 2014 slides" and found a mention about
> something that interests me: "Epic: framework to translate binaries of any
> arch to LLVM bitcode". I watched a video of this presentation on youtube,
> where Nguyen Anh Quynh said that it is something he is working on, and that
> it is a work in progress.
>
> So, I would like to ask if this is still true.
>

that is true, yes.
note that this requires a lot of work on design & implementation to have a
proper product, so it takes time.



> Is someone working on it? If yes, how far is it? Can we hope for a release
> in some not so distant future? I think such a tool would come in handy in
> many projects.
>
> I have been experimenting with both capstone and LLVM, and I'm thinking
> about writing some simple prototype (probably for MIPS) just to see what it
> takes. However, it would be a waste of time if there already is an almost
> finished implementation just around the corner.
>
>
i hope to be able to shed some lights & talk more about this in few months
time.


cheers,
Q

[Capstone-users] epic: bin to llvm

[Peter M. <p3t...@gm...>]

Hello,
I was looking at "Blackhat USA 2014 slides" and found a mention about 
something that interests me: "Epic: framework to translate binaries of 
any arch to LLVM bitcode". I watched a video of this presentation on 
youtube, where Nguyen Anh Quynh said that it is something he is working 
on, and that it is a work in progress.

So, I would like to ask if this is still true. Is someone working on it? 
If yes, how far is it? Can we hope for a release in some not so distant 
future? I think such a tool would come in handy in many projects.

I have been experimenting with both capstone and LLVM, and I'm thinking 
about writing some simple prototype (probably for MIPS) just to see what 
it takes. However, it would be a waste of time if there already is an 
almost finished implementation just around the corner.

thank for the reply
Peter Matula

[Capstone-users] Capstone disassembly engine 3.0.3 is released!

[Nguyen A. Q. <aq...@gm...>]

Greetings,

Version 3.0.3 of Capstone disassembly framework if officially out!

I would like to dedicate this release to Prof. Yoshiyasu Takefuji, my
former advisor, who is turning 60 years old this year 2015!

This stable version brings some important bugfixes for X86, Arm, Sparc &
Python/Cython bindings.
All users are encouraged to upgrade.

Further information is available at
http://capstone-engine.org/Version-3.0.3.html

Thanks,
Quynh

[Capstone-users] Capstone 3.0.3-RC1 is out!

[Nguyen A. Q. <aq...@gm...>]

Greetings,

We are happy to announce the Release Candidate 1 of version 3.0.3 of
Capstone disassembly framework!

Find the link to source code at
http://capstone-engine.org/Version-3.0.3-RC1.html

Summary of important changes in v3.0.3-RC1:

- Fixed a segfault of X86 engine.
- Some bug fixes for X86, Arm & Sparc.
- Fixed some issues for Python & Cython bindings.
- Support to embed Capstone into Mac OS X kernel extensions.
- Fixed compilation issue with older C compilers such as GCC 4.6.


Please test and report all the issues you find.

Thanks,
Capstone Engine team.

[Capstone-users] New advanced API for Capstone!

[Nguyen A. Q. <aq...@gm...>]

hi,

we are happy to introduce a new Capstone API named cs_regs_access(), which
can be used to retrieve all the registers being read or modified by an
instruction!

this advanced feature has been longed for by a lot of people who want to do
advanced binary analysis on assembly code (think about data flow, or taint
analysis).

documentation on this API is available at:

    http://capstone-engine.org/op_access.html

for a screenshot demonstrating this API, see this tweet:

    https://twitter.com/capstone_engine/status/580773946057871361

NOTE: for now, this API is only available in the "next" branch of our
Github repo - which will be officially released as version 4.0 soon.

please report if you find any issues with this new feature.


thanks,
Quynh

Re: [Capstone-users] [Capstone-Beta] Lua binding for Capstone!

[Capstone E. <cap...@gm...>]

On Mar 22, 2015 12:46 AM, "Nguyen Anh Quynh" <aq...@gm...> wrote:
>
> hi,
>
> just want to let you know that now Capstone has Lua binding! this is a
great work done by Antonio Davide!
>
>     https://github.com/Dax89
>
> this raises the number of programming languages supported by Capstone to
10.
> the full list includes C++, C#, Go, Java, Javascript, Lua, Ocaml, Python,
Ruby & Vala.

The link to the Lua binding is https://github.com/Dax89/LuaCapstone

Thanks,
Q

[Capstone-users] Lua binding for Capstone!

[Nguyen A. Q. <aq...@gm...>]

hi,

just want to let you know that now Capstone has Lua binding! this is a
great work done by Antonio Davide!

    https://github.com/Dax89

this raises the number of programming languages supported by Capstone to
10.
the full list includes C++, C#, Go, Java, Javascript, Lua, Ocaml, Python,
Ruby & Vala.


cheers,
Q

Re: [Capstone-users] AARch64 details

[Nguyen A. Q. <aq...@gm...>]

On Thu, Mar 12, 2015 at 6:10 AM, David Callahan <dca...@fb...> wrote:

>  Thanks Q. I did notice how the jump groups are set.
> For my application, I wanted “RET” ->  RETURN group and “BL/BLR” -> “Call
> Group” as well. I replaced the dynamic jump handling with static
> elaboration. I modified the code to update AArch64Mapping.c and
> include/arm64.h
> Are you interested in these changes?
>

sure, this will be useful. actually this was done for X86 arch, and all the
other archs should follow.

please do a Pull Request on Github, and base your work on the "next" branch.

thanks.
Q



  From: Nguyen Anh Quynh <aq...@gm...>
Date: Thursday, March 5, 2015 at 9:16 PM
To: "Capstone disassembly framework (www.capstone-engine.org)" <
cap...@li...>
Cc: David Callahan <dca...@fb...>
Subject: Re: [Capstone-users] AARch64 details



On Mon, Feb 23, 2015 at 3:25 PM, Nguyen Anh Quynh <aq...@gm...> wrote:

>
>
> On Sat, Feb 21, 2015 at 9:09 AM, Nguyen Anh Quynh <aq...@gm...>
> wrote:
>
>> That must be a bug. Please fix what you see wrong, then send the Pull
>> Request on Github.
>>
>> Do remember to base your work on the "next" branch.
>>
>> Thanks.
>>  On Feb 21, 2015 9:06 AM, "David Callahan" <dca...@fb...> wrote:
>>
>>>
>>>  Hello,
>>>
>>>  I picked up capstone to work on rewriting project targeting arm &
>>> arm64. It appears that the details information for AArch64 is quite
>>> incomplete, for example the B branch instruction is marked as a branch but
>>> BL is not and neither is shown in any sort of “JUMP” group.   What is the
>>> status and short term expectations for these kinds of details?
>>>
>>
 i forgot this detail: JUMP group is handled dynamically at run-time, so
you are actually not missing it at the output of cs_disasm()

 see function AArch64_get_insn_id() in AArch64Mapping.c for more detail.

 so what you reported is not a bug.

 thanks.
 Q

Re: [Capstone-users] AARch64 details

[David C. <dca...@fb...>]

Thanks Q. I did notice how the jump groups are set.
For my application, I wanted “RET” ->  RETURN group and “BL/BLR” -> “Call Group” as well. I replaced the dynamic jump handling with static elaboration. I modified the code to update AArch64Mapping.c and include/arm64.h
Are you interested in these changes?

—david

From: Nguyen Anh Quynh <aq...@gm...<mailto:aq...@gm...>>
Date: Thursday, March 5, 2015 at 9:16 PM
To: "Capstone disassembly framework (www.capstone-engine.org)" <cap...@li...<mailto:cap...@li...>>
Cc: David Callahan <dca...@fb...<mailto:dca...@fb...>>
Subject: Re: [Capstone-users] AARch64 details



On Mon, Feb 23, 2015 at 3:25 PM, Nguyen Anh Quynh <aq...@gm...<mailto:aq...@gm...>> wrote:


On Sat, Feb 21, 2015 at 9:09 AM, Nguyen Anh Quynh <aq...@gm...<mailto:aq...@gm...>> wrote:

That must be a bug. Please fix what you see wrong, then send the Pull Request on Github.

Do remember to base your work on the "next" branch.

Thanks.

On Feb 21, 2015 9:06 AM, "David Callahan" <dca...@fb...<mailto:dca...@fb...>> wrote:

Hello,

I picked up capstone to work on rewriting project targeting arm & arm64. It appears that the details information for AArch64 is quite incomplete, for example the B branch instruction is marked as a branch but BL is not and neither is shown in any sort of “JUMP” group.   What is the status and short term expectations for these kinds of details?

i forgot this detail: JUMP group is handled dynamically at run-time, so you are actually not missing it at the output of cs_disasm()

see function AArch64_get_insn_id() in AArch64Mapping.c for more detail.

so what you reported is not a bug.

thanks.
Q