Menu
▾
▴
capstone-users — Capstone mailing list for users
You can subscribe to this list here.
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(11) |
Dec
(11) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2014 |
Jan
(12) |
Feb
(3) |
Mar
(7) |
Apr
(4) |
May
(31) |
Jun
(2) |
Jul
(4) |
Aug
(2) |
Sep
(16) |
Oct
(13) |
Nov
(2) |
Dec
(25) |
| 2015 |
Jan
(28) |
Feb
(9) |
Mar
(7) |
Apr
(1) |
May
(3) |
Jun
(1) |
Jul
(3) |
Aug
(12) |
Sep
|
Oct
(11) |
Nov
(4) |
Dec
|
| 2016 |
Jan
(4) |
Feb
|
Mar
(8) |
Apr
|
May
(2) |
Jun
(2) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2017 |
Jan
|
Feb
(1) |
Mar
(3) |
Apr
(2) |
May
(4) |
Jun
(6) |
Jul
(9) |
Aug
(2) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(7) |
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
|
Oct
(2) |
Nov
(7) |
Dec
(2) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(5) |
Apr
(1) |
May
(1) |
Jun
(4) |
Jul
(6) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
(4) |
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(1) |
Aug
(3) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
|
From: Nguyen A. Q. <aq...@gm...> - 2015-03-11 14:48:13
|
Greetings, We are pleased to announce version 3.0.2 of Capstone disassembly framework! This stable release brings some important bugfixes for X86, Arm, Mips & Cython binding. All users are encouraged to upgrade. Further information is available at http://capstone-engine.org/Version-3.0.2.html Thanks, Quynh |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-03-06 04:17:18
|
On Mon, Feb 23, 2015 at 3:25 PM, Nguyen Anh Quynh <aq...@gm...> wrote: > > > On Sat, Feb 21, 2015 at 9:09 AM, Nguyen Anh Quynh <aq...@gm...> > wrote: > >> That must be a bug. Please fix what you see wrong, then send the Pull >> Request on Github. >> >> Do remember to base your work on the "next" branch. >> >> Thanks. >> On Feb 21, 2015 9:06 AM, "David Callahan" <dca...@fb...> wrote: >> >>> >>> Hello, >>> >>> I picked up capstone to work on rewriting project targeting arm & >>> arm64. It appears that the details information for AArch64 is quite >>> incomplete, for example the B branch instruction is marked as a branch but >>> BL is not and neither is shown in any sort of “JUMP” group. What is the >>> status and short term expectations for these kinds of details? >>> >> i forgot this detail: JUMP group is handled dynamically at run-time, so you are actually not missing it at the output of cs_disasm() see function AArch64_get_insn_id() in AArch64Mapping.c for more detail. so what you reported is not a bug. thanks. Q |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-02-23 07:26:02
|
On Sat, Feb 21, 2015 at 9:09 AM, Nguyen Anh Quynh <aq...@gm...> wrote: > That must be a bug. Please fix what you see wrong, then send the Pull > Request on Github. > > Do remember to base your work on the "next" branch. > > Thanks. > On Feb 21, 2015 9:06 AM, "David Callahan" <dca...@fb...> wrote: > >> >> Hello, >> >> I picked up capstone to work on rewriting project targeting arm & >> arm64. It appears that the details information for AArch64 is quite >> incomplete, for example the B branch instruction is marked as a branch but >> BL is not and neither is shown in any sort of “JUMP” group. What is the >> status and short term expectations for these kinds of details? >> > to fix this issue, you just need to modify insns[] in file arch/AArch64/AArch64Mapping.c to add new groups for related instructions. thanks, Q |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-02-21 01:09:53
|
That must be a bug. Please fix what you see wrong, then send the Pull Request on Github. Do remember to base your work on the "next" branch. Thanks. On Feb 21, 2015 9:06 AM, "David Callahan" <dca...@fb...> wrote: > > Hello, > > I picked up capstone to work on rewriting project targeting arm & arm64. > It appears that the details information for AArch64 is quite incomplete, > for example the B branch instruction is marked as a branch but BL is not > and neither is shown in any sort of “JUMP” group. What is the status and > short term expectations for these kinds of details? > > Thanks > david > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > |
|
From: David C. <dca...@fb...> - 2015-02-21 00:11:54
|
Hello, I picked up capstone to work on rewriting project targeting arm & arm64. It appears that the details information for AArch64 is quite incomplete, for example the B branch instruction is marked as a branch but BL is not and neither is shown in any sort of “JUMP” group. What is the status and short term expectations for these kinds of details? Thanks david |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-02-07 03:05:50
|
On Sat, Feb 7, 2015 at 2:07 AM, Yue Chen <yc...@gm...> wrote: > Dear all, > > I am working on a project that needs to disassemble FreeBSD kernel code in > memory. I tried to use Capstone in my kernel module. However, when I link > "libcapstone.a" with my kernel module object, there would be errors like no > symbol "sprintf", "memset", "memcpy", etc. After implementing them on my > own in another library, the kernel always crashes when executing "cs_open". > > I followed the instructions on http://www.capstone-engine.org/embed.html > to replace the memory allocation functions and vsnprintf with FreeBSD > kernel's, but the problems still exist. Anyone could give an idea or > example about how to implement it in a better way (even a better Makefile > to link them)? > we can only work out the solution if you know exactly why the crash happens. can you debug your code to answer this question? thanks, Q |
|
From: Yue C. <yc...@gm...> - 2015-02-06 18:07:44
|
Dear all, I am working on a project that needs to disassemble FreeBSD kernel code in memory. I tried to use Capstone in my kernel module. However, when I link "libcapstone.a" with my kernel module object, there would be errors like no symbol "sprintf", "memset", "memcpy", etc. After implementing them on my own in another library, the kernel always crashes when executing "cs_open". I followed the instructions on http://www.capstone-engine.org/embed.html to replace the memory allocation functions and vsnprintf with FreeBSD kernel's, but the problems still exist. Anyone could give an idea or example about how to implement it in a better way (even a better Makefile to link them)? Many thanks and regards, Yue |
|
From: Capstone E. <cap...@gm...> - 2015-02-04 04:20:19
|
On Wed, Feb 4, 2015 at 12:26 AM, Capstone Engine <cap...@gm...>
wrote:
>
>
> On Tue, Feb 3, 2015 at 5:44 AM, Edwin Cheng <edw...@gm...> wrote:
>
>> Hi all,
>>
>> I am working on the "Provide explicit registers" feature described in
>> capstone github wiki page.
>> The idea is based on using "ins" and "outs" description in MCInstrDesc
>> X86Insts, (X86GenInstrInfo.inc)
>> which is generated by llvm-tblgen. However, the X86Insts part was cut in
>> capstone.
>> I tried to generate myself but i found that the instruction set is not
>> same as the trunk of llvm. So,
>>
>> 1. What is the version of LLVM for table generation (at least X86) ?
>>
>
> thanks for contacting us! we already have something underway, but it would
> be great to have you helped to speed up the process.
> will send you more info later.
>
>
i just pushed the work-in-progress to the "next" branch on Github.
https://github.com/aquynh/capstone/tree/next
you can find the mapping table in an array variable named "insn_ops" in
arch/X86/X86Mapping.c
currently this is not ready yet, so i commented it out.
status: this table was auto-gen, so information can be incorrect, or
missing.
so it is a good idea to go thru & verify every instructions.
please send pull request on Github if you can update this table.
thanks,
Q
|
|
From: Capstone E. <cap...@gm...> - 2015-02-03 16:26:14
|
On Tue, Feb 3, 2015 at 5:44 AM, Edwin Cheng <edw...@gm...> wrote: > Hi all, > > I am working on the "Provide explicit registers" feature described in > capstone github wiki page. > The idea is based on using "ins" and "outs" description in MCInstrDesc > X86Insts, (X86GenInstrInfo.inc) > which is generated by llvm-tblgen. However, the X86Insts part was cut in > capstone. > I tried to generate myself but i found that the instruction set is not > same as the trunk of llvm. So, > > 1. What is the version of LLVM for table generation (at least X86) ? > thanks for contacting us! we already have something underway, but it would be great to have you helped to speed up the process. will send you more info later. 2. How capstone convert the LLVM C++ to C ? > > i did everything manually. thanks, Q |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-02-03 16:12:42
|
Greetings, We are happy & excited to release version 3.0.1 of Capstone disassembly framework! This stable version brings some important bugfixes for X86, Arm, Arm64, PowerPC architectures. Several memory leaking issues in Python/Cython bindings have been addressed, too. Since this release, our Python module "capstone" on PyPi allows to download & compile the core at the same time of installing Python package, so Python users can just do "pip install" without having to install the core beforehand. More information is available at http://capstone-engine.org/Version-3.0.1.html Thanks, Quynh |
|
From: Edwin C. <edw...@gm...> - 2015-02-02 21:44:19
|
Hi all, I am working on the "Provide explicit registers" feature described in capstone github wiki page. The idea is based on using "ins" and "outs" description in MCInstrDesc X86Insts, (X86GenInstrInfo.inc) which is generated by llvm-tblgen. However, the X86Insts part was cut in capstone. I tried to generate myself but i found that the instruction set is not same as the trunk of llvm. So, 1. What is the version of LLVM for table generation (at least X86) ? 2. How capstone convert the LLVM C++ to C ? -- Cheers, Edwin Cheng |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-01-28 23:22:25
|
On Thu, Jan 29, 2015 at 2:17 AM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <
mic...@us...> wrote:
> Just download the latest Netbeans 8.0.2 and it comes with Java 1.8. Create
> a new project. Add Test86.java to the project. Under project properties ->
> libraries add capstone.jar. Add capstone.dll to your project directory main
> folder (where build.xml is). Run the project, that's it.
>
> Netbeans is pretty easy to figure out if you are not familiar with it.
> I'm using Win 7 x64.
>
> On a side note, if anyone has C code that calculates the size of the PE
> header and can pass it on I would greatly appreciate it.
>
a quick search on Github brings out a lot of open source code, so you
should try your luck there.
few results i found:
https://github.com/r12f/libpe
https://github.com/merces/pev
cheers,
Q
> -----Original Message-----
> From: Nguyen Anh Quynh [mailto:aq...@gm...]
> Sent: Friday, January 23, 2015 7:29 PM
> To: Capstone disassembly framework (www.capstone-engine.org);
> mac...@gm...
> Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help
>
>
>
> On Fri, Jan 23, 2015 at 11:43 PM, Peter Mackay <mac...@gm...>
> wrote:
>
>
> Hello,
>
> Sorry for butting in. I've never used the Java wrapper so I may be
> off-base here, but is it possible you're getting nulls for the
> mnemonic and operands because you're not enabling detail?
>
> cs.setDetail(true); // maybe something like this.
>
>
>
> Peter, i think you mistake the Detail mode with X86-Reduce mode (
> http://capstone-engine.org/x86reduce.html), because even if Detail mode
> is OFF (which is default mode), you always have Mnemonics & operands.
>
> only when engine is built in X86-Reduce mode, you have NULL mnemonics &
> operands.
>
> anyway, Peter got a good point, but this situation is unlikely to happen
> with Groetz for some reasons:
>
>
> 1. by default, Capstone do not enable X86-Reduce mode. you must know how
> to compile the engine to have that.
>
>
> 2. his C code works without any issue, so X86-Reduce mode must be disable.
>
>
> 3. The engine available in binary at
> http://capstone-engine.org/download/3.0/capstone-3.0-win64.zip is a full
> engine (with X86-Reduce mode OFF), and Groetz also used that but his
> problem is not solved.
>
>
>
>
> Groetz, can you tell in detail every steps you did (from download,
> compile, install Capstone, to how you install Java, compile TestX86.java &
> run it), so i can try to reproduce the problem on Windows?
>
>
> thanks.
>
> Q
>
>
>
>
>
> On 23 January 2015 at 15:37, Nguyen Anh Quynh <aq...@gm...> wrote:
> >
> >
> > On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC
> > AFRL/RYWA <mic...@us...> wrote:
> >>
> >> When I try to disassemble Test.exe, I get the following:
> >>
> >> 0x1000: pop r10
> >> 0x1002: npop
> >> 0x1003 add byte ptr [rbx], a1
> >> 0x1005: add byte ptr [rbx], a1
> >>
> >
> > i can see that you are trying to disasm Test.exe, but dont expect to
> > see its
> > code: you are actually reading from the beginning of Test.exe, where
> > the PE header is. the actual code is way behind that. and by default,
> > Capstone stops at the first ever illegal code, so you only see 4
> > assembly instructions like above.
> >
> > thanks.
> >
> >
>
> > ----------------------------------------------------------------------
> > -------- New Year. New Location. New Benefits. New Data Center in
> > Ashburn, VA.
> > GigeNET is offering a free month of service with a new server in Ashburn.
> > Choose from 2 high performing configs, both with 100TB of bandwidth.
> > Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> > http://p.sf.net/sfu/gigenet
> > _______________________________________________
> > Capstone-users mailing list
> > Cap...@li...
> > https://lists.sourceforge.net/lists/listinfo/capstone-users
> >
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> Capstone-users mailing list
> Cap...@li...
> https://lists.sourceforge.net/lists/listinfo/capstone-users
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Capstone-users mailing list
> Cap...@li...
> https://lists.sourceforge.net/lists/listinfo/capstone-users
>
|
|
From: GROETZ, M. A C. U. A. AFRL/R. <mic...@us...> - 2015-01-28 18:17:20
|
Just download the latest Netbeans 8.0.2 and it comes with Java 1.8. Create a new project. Add Test86.java to the project. Under project properties -> libraries add capstone.jar. Add capstone.dll to your project directory main folder (where build.xml is). Run the project, that's it. Netbeans is pretty easy to figure out if you are not familiar with it. I'm using Win 7 x64. On a side note, if anyone has C code that calculates the size of the PE header and can pass it on I would greatly appreciate it. Thanks, Mike -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Friday, January 23, 2015 7:29 PM To: Capstone disassembly framework (www.capstone-engine.org); mac...@gm... Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Fri, Jan 23, 2015 at 11:43 PM, Peter Mackay <mac...@gm...> wrote: Hello, Sorry for butting in. I've never used the Java wrapper so I may be off-base here, but is it possible you're getting nulls for the mnemonic and operands because you're not enabling detail? cs.setDetail(true); // maybe something like this. Peter, i think you mistake the Detail mode with X86-Reduce mode (http://capstone-engine.org/x86reduce.html), because even if Detail mode is OFF (which is default mode), you always have Mnemonics & operands. only when engine is built in X86-Reduce mode, you have NULL mnemonics & operands. anyway, Peter got a good point, but this situation is unlikely to happen with Groetz for some reasons: 1. by default, Capstone do not enable X86-Reduce mode. you must know how to compile the engine to have that. 2. his C code works without any issue, so X86-Reduce mode must be disable. 3. The engine available in binary at http://capstone-engine.org/download/3.0/capstone-3.0-win64.zip is a full engine (with X86-Reduce mode OFF), and Groetz also used that but his problem is not solved. Groetz, can you tell in detail every steps you did (from download, compile, install Capstone, to how you install Java, compile TestX86.java & run it), so i can try to reproduce the problem on Windows? thanks. Q On 23 January 2015 at 15:37, Nguyen Anh Quynh <aq...@gm...> wrote: > > > On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC > AFRL/RYWA <mic...@us...> wrote: >> >> When I try to disassemble Test.exe, I get the following: >> >> 0x1000: pop r10 >> 0x1002: npop >> 0x1003 add byte ptr [rbx], a1 >> 0x1005: add byte ptr [rbx], a1 >> > > i can see that you are trying to disasm Test.exe, but dont expect to > see its > code: you are actually reading from the beginning of Test.exe, where > the PE header is. the actual code is way behind that. and by default, > Capstone stops at the first ever illegal code, so you only see 4 > assembly instructions like above. > > thanks. > > > ---------------------------------------------------------------------- > -------- New Year. New Location. New Benefits. New Data Center in > Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users |
|
From: GROETZ, M. A C. U. A. AFRL/R. <mic...@us...> - 2015-01-27 17:15:37
|
Okay, thanks for all your help. Michael Groetz | Leidos | Contractor Software Application Engineer Multi-Sensor Exploitation and Countermeasures Division (937) 528-8043 -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Tuesday, January 27, 2015 11:22 AM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Tue, Jan 27, 2015 at 10:16 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: I will research PE headers. Feature request - it would be nice if Capstone automatically skipped the PE header when you call cs_disasm. sorry this will not be possible: you can look at the API, and see that Capstone only deals with raw binary input, and has no knowledge of file formats. Capstone is designed to be clean & simple, with the target of doing one thing and doing it well. everything more complicated (such as dealing with PE files) must be built on top of it, at tool's level. I'm no C expert so the fact that I have to figure this out to get Capstone to do what I want it to do is almost a show stopper for me. I can figure it out, I just don't have a lot of time to do the research. no worry, you can always post your questions to this mailing list when you cannot find the answers yourself. cheers, Q -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Friday, January 23, 2015 7:20 PM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Sat, Jan 24, 2015 at 2:27 AM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: I guess I'm also confused by what you mean when you refer to illegal code. Seems like no matter what exe I try to disassemble, I get about 4 lines assembly instructions. you got the same output because you are trying to disassemble the same thing: all the EXE file share the same the first part as a EXE header. what you need to do is to disassemble code, not header, so you should start from the EXE entry pointer, not from the EXE header. to find the EXE entry pointer, read documentation about PE/PE+ format (PE is EXE header of 32bit EXE, PE+ is header of 64bit EXE). another way is to read source code of binary analysis program (such as http://radare.org) to see how they deal with EXE files. thanks, Q -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Friday, January 23, 2015 10:38 AM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: When I try to disassemble Test.exe, I get the following: 0x1000: pop r10 0x1002: npop 0x1003 add byte ptr [rbx], a1 0x1005: add byte ptr [rbx], a1 i can see that you are trying to disasm Test.exe, but dont expect to see its code: you are actually reading from the beginning of Test.exe, where the PE header is. the actual code is way behind that. and by default, Capstone stops at the first ever illegal code, so you only see 4 assembly instructions like above. thanks. ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-01-27 16:22:18
|
On Tue, Jan 27, 2015 at 10:16 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: > I will research PE headers. > > Feature request - it would be nice if Capstone automatically skipped the > PE header when you call cs_disasm. > sorry this will not be possible: you can look at the API, and see that Capstone only deals with raw binary input, and has no knowledge of file formats. Capstone is designed to be clean & simple, with the target of doing one thing and doing it well. everything more complicated (such as dealing with PE files) must be built on top of it, at tool's level. > > I'm no C expert so the fact that I have to figure this out to get Capstone > to do what I want it to do is almost a show stopper for me. I can figure it > out, I just don't have a lot of time to do the research. > > no worry, you can always post your questions to this mailing list when you cannot find the answers yourself. cheers, Q > -----Original Message----- > From: Nguyen Anh Quynh [mailto:aq...@gm...] > Sent: Friday, January 23, 2015 7:20 PM > To: Capstone disassembly framework (www.capstone-engine.org) > Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help > > > > On Sat, Jan 24, 2015 at 2:27 AM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA > <mic...@us...> wrote: > > > I guess I'm also confused by what you mean when you refer to > illegal code. Seems like no matter what exe I try to disassemble, I get > about 4 lines assembly instructions. > > > > you got the same output because you are trying to disassemble the same > thing: all the EXE file share the same the first part as a EXE header. > > what you need to do is to disassemble code, not header, so you should > start from the EXE entry pointer, not from the EXE header. > > > to find the EXE entry pointer, read documentation about PE/PE+ format (PE > is EXE header of 32bit EXE, PE+ is header of 64bit EXE). > > another way is to read source code of binary analysis program (such as > http://radare.org) to see how they deal with EXE files. > > > thanks, > > Q > > > -----Original Message----- > From: Nguyen Anh Quynh [mailto:aq...@gm...] > Sent: Friday, January 23, 2015 10:38 AM > To: Capstone disassembly framework (www.capstone-engine.org) > Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help > > > > > On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC > AFRL/RYWA <mic...@us...> wrote: > > > When I try to disassemble Test.exe, I get the following: > > 0x1000: pop r10 > 0x1002: npop > 0x1003 add byte ptr [rbx], a1 > 0x1005: add byte ptr [rbx], a1 > > > > > i can see that you are trying to disasm Test.exe, but dont expect to see > its code: you are actually reading from the beginning of Test.exe, where > the PE header is. the actual code is way behind that. and by default, > Capstone stops at the first ever illegal code, so you only see 4 assembly > instructions like above. > > > thanks. > > > > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > |
|
From: GROETZ, M. A C. U. A. AFRL/R. <mic...@us...> - 2015-01-27 16:11:22
|
I will research PE headers. Feature request - it would be nice if Capstone automatically skipped the PE header when you call cs_disasm. I'm no C expert so the fact that I have to figure this out to get Capstone to do what I want it to do is almost a show stopper for me. I can figure it out, I just don't have a lot of time to do the research. Thank You for your help. -Mike Michael Groetz | Leidos | Contractor Software Application Engineer Multi-Sensor Exploitation and Countermeasures Division (937) 528-8043 -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Friday, January 23, 2015 7:20 PM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Sat, Jan 24, 2015 at 2:27 AM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: I guess I'm also confused by what you mean when you refer to illegal code. Seems like no matter what exe I try to disassemble, I get about 4 lines assembly instructions. you got the same output because you are trying to disassemble the same thing: all the EXE file share the same the first part as a EXE header. what you need to do is to disassemble code, not header, so you should start from the EXE entry pointer, not from the EXE header. to find the EXE entry pointer, read documentation about PE/PE+ format (PE is EXE header of 32bit EXE, PE+ is header of 64bit EXE). another way is to read source code of binary analysis program (such as http://radare.org) to see how they deal with EXE files. thanks, Q -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Friday, January 23, 2015 10:38 AM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: When I try to disassemble Test.exe, I get the following: 0x1000: pop r10 0x1002: npop 0x1003 add byte ptr [rbx], a1 0x1005: add byte ptr [rbx], a1 i can see that you are trying to disasm Test.exe, but dont expect to see its code: you are actually reading from the beginning of Test.exe, where the PE header is. the actual code is way behind that. and by default, Capstone stops at the first ever illegal code, so you only see 4 assembly instructions like above. thanks. ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users |
|
From: Capstone E. <cap...@gm...> - 2015-01-25 22:48:01
|
On Mon, Jan 26, 2015 at 2:11 AM, Michael Liu <lfl...@gm... > wrote: > Hi, All > I just want to use OCaml with Capstone, I can see that there is an > instruction on how to install python bindings. However, for the OCaml > binding, the 'README" just said: > === > > To compile Ocaml binding, Ocaml toolchain is needed. On Ubuntu Linux, > you can install Ocaml with: > > $ sudo apt-get install ocaml-nox > > To compile Ocaml binding, simply run "make" on the command line. > > === > > Now, I could make successfully. > can you confirm all the test* files work without any issue? > But I have no idea on how to install the compiled files, any help would be > grateful. > > yes, currently there is no "make install" for Ocaml yet. if you figure out how to do that, please consider submitting a Github pull request, so i can merge it and make it available for others. cheers, Q |
|
From: Michael L. <lfl...@gm...> - 2015-01-25 18:11:53
|
Hi, All
I just want to use OCaml with Capstone, I can see that there is an
instruction on how to install python bindings. However, for the OCaml
binding, the 'README" just said:
===
To compile Ocaml binding, Ocaml toolchain is needed. On Ubuntu Linux,
you can install Ocaml with:
$ sudo apt-get install ocaml-nox
To compile Ocaml binding, simply run "make" on the command line.
===
Now, I could make successfully.
But I have no idea on how to install the compiled files, any help would be
grateful.
Best
Michael
|
|
From: Nguyen A. Q. <aq...@gm...> - 2015-01-24 00:29:07
|
On Fri, Jan 23, 2015 at 11:43 PM, Peter Mackay <mac...@gm...> wrote: > Hello, > > Sorry for butting in. I've never used the Java wrapper so I may be > off-base here, but is it possible you're getting nulls for the > mnemonic and operands because you're not enabling detail? > > cs.setDetail(true); // maybe something like this. > Peter, i think you mistake the Detail mode with X86-Reduce mode ( http://capstone-engine.org/x86reduce.html), because even if Detail mode is OFF (which is default mode), you always have Mnemonics & operands. only when engine is built in X86-Reduce mode, you have NULL mnemonics & operands. anyway, Peter got a good point, but this situation is unlikely to happen with Groetz for some reasons: 1. by default, Capstone do not enable X86-Reduce mode. you must know how to compile the engine to have that. 2. his C code works without any issue, so X86-Reduce mode must be disable. 3. The engine available in binary at http://capstone-engine.org/download/3.0/capstone-3.0-win64.zip is a full engine (with X86-Reduce mode OFF), and Groetz also used that but his problem is not solved. Groetz, can you tell in detail every steps you did (from download, compile, install Capstone, to how you install Java, compile TestX86.java & run it), so i can try to reproduce the problem on Windows? thanks. Q On 23 January 2015 at 15:37, Nguyen Anh Quynh <aq...@gm...> wrote: > > > On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA > <mic...@us...> wrote: >> >> When I try to disassemble Test.exe, I get the following: >> >> 0x1000: pop r10 >> 0x1002: npop >> 0x1003 add byte ptr [rbx], a1 >> 0x1005: add byte ptr [rbx], a1 >> > > i can see that you are trying to disasm Test.exe, but dont expect to see its > code: you are actually reading from the beginning of Test.exe, where the PE > header is. the actual code is way behind that. and by default, Capstone > stops at the first ever illegal code, so you only see 4 assembly > instructions like above. > > thanks. > > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-01-24 00:20:34
|
On Sat, Jan 24, 2015 at 2:27 AM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA < mic...@us...> wrote: > I guess I'm also confused by what you mean when you refer to illegal code. > Seems like no matter what exe I try to disassemble, I get about 4 lines > assembly instructions. > you got the same output because you are trying to disassemble the same thing: all the EXE file share the same the first part as a EXE header. what you need to do is to disassemble code, not header, so you should start from the EXE entry pointer, not from the EXE header. to find the EXE entry pointer, read documentation about PE/PE+ format (PE is EXE header of 32bit EXE, PE+ is header of 64bit EXE). another way is to read source code of binary analysis program (such as http://radare.org) to see how they deal with EXE files. thanks, Q -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Friday, January 23, 2015 10:38 AM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: When I try to disassemble Test.exe, I get the following: 0x1000: pop r10 0x1002: npop 0x1003 add byte ptr [rbx], a1 0x1005: add byte ptr [rbx], a1 i can see that you are trying to disasm Test.exe, but dont expect to see its code: you are actually reading from the beginning of Test.exe, where the PE header is. the actual code is way behind that. and by default, Capstone stops at the first ever illegal code, so you only see 4 assembly instructions like above. thanks. ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users |
|
From: GROETZ, M. A C. U. A. AFRL/R. <mic...@us...> - 2015-01-23 18:27:38
|
I guess I'm also confused by what you mean when you refer to illegal code. Seems like no matter what exe I try to disassemble, I get about 4 lines assembly instructions. Thanks. -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Friday, January 23, 2015 10:38 AM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: When I try to disassemble Test.exe, I get the following: 0x1000: pop r10 0x1002: npop 0x1003 add byte ptr [rbx], a1 0x1005: add byte ptr [rbx], a1 i can see that you are trying to disasm Test.exe, but dont expect to see its code: you are actually reading from the beginning of Test.exe, where the PE header is. the actual code is way behind that. and by default, Capstone stops at the first ever illegal code, so you only see 4 assembly instructions like above. thanks. |
|
From: GROETZ, M. A C. U. A. AFRL/R. <mic...@us...> - 2015-01-23 17:45:38
|
I have that a shot earlier, no luck. Thanks for the suggestion though. -Mike -----Original Message----- From: Peter Mackay [mailto:mac...@gm...] Sent: Friday, January 23, 2015 10:43 AM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help Hello, Sorry for butting in. I've never used the Java wrapper so I may be off-base here, but is it possible you're getting nulls for the mnemonic and operands because you're not enabling detail? cs.setDetail(true); // maybe something like this. Thanks, Peter On 23 January 2015 at 15:37, Nguyen Anh Quynh <aq...@gm...> wrote: > > > On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC > AFRL/RYWA <mic...@us...> wrote: >> >> When I try to disassemble Test.exe, I get the following: >> >> 0x1000: pop r10 >> 0x1002: npop >> 0x1003 add byte ptr [rbx], a1 >> 0x1005: add byte ptr [rbx], a1 >> > > i can see that you are trying to disasm Test.exe, but dont expect to > see its > code: you are actually reading from the beginning of Test.exe, where > the PE header is. the actual code is way behind that. and by default, > Capstone stops at the first ever illegal code, so you only see 4 > assembly instructions like above. > > thanks. > > > ---------------------------------------------------------------------- > -------- New Year. New Location. New Benefits. New Data Center in > Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users |
|
From: GROETZ, M. A C. U. A. AFRL/R. <mic...@us...> - 2015-01-23 16:03:24
|
Okay, so I apologize in advanced if this is a stupid question. How do I see all the dissembled code - beyond the PE header? Can you provide an example? Thank You for helping me. -Mike -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Friday, January 23, 2015 10:38 AM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: When I try to disassemble Test.exe, I get the following: 0x1000: pop r10 0x1002: npop 0x1003 add byte ptr [rbx], a1 0x1005: add byte ptr [rbx], a1 i can see that you are trying to disasm Test.exe, but dont expect to see its code: you are actually reading from the beginning of Test.exe, where the PE header is. the actual code is way behind that. and by default, Capstone stops at the first ever illegal code, so you only see 4 assembly instructions like above. thanks. |
|
From: Peter M. <mac...@gm...> - 2015-01-23 15:43:19
|
Hello, Sorry for butting in. I've never used the Java wrapper so I may be off-base here, but is it possible you're getting nulls for the mnemonic and operands because you're not enabling detail? cs.setDetail(true); // maybe something like this. Thanks, Peter On 23 January 2015 at 15:37, Nguyen Anh Quynh <aq...@gm...> wrote: > > > On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA > <mic...@us...> wrote: >> >> When I try to disassemble Test.exe, I get the following: >> >> 0x1000: pop r10 >> 0x1002: npop >> 0x1003 add byte ptr [rbx], a1 >> 0x1005: add byte ptr [rbx], a1 >> > > i can see that you are trying to disasm Test.exe, but dont expect to see its > code: you are actually reading from the beginning of Test.exe, where the PE > header is. the actual code is way behind that. and by default, Capstone > stops at the first ever illegal code, so you only see 4 assembly > instructions like above. > > thanks. > > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-01-23 15:38:15
|
On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: > When I try to disassemble Test.exe, I get the following: > > 0x1000: pop r10 > 0x1002: npop > 0x1003 add byte ptr [rbx], a1 > 0x1005: add byte ptr [rbx], a1 > > i can see that you are trying to disasm Test.exe, but dont expect to see its code: you are actually reading from the beginning of Test.exe, where the PE header is. the actual code is way behind that. and by default, Capstone stops at the first ever illegal code, so you only see 4 assembly instructions like above. thanks. |
