Capstone

Capstone is designed for disassembling code across numerous hardware architectures including ARM, ARM64, BPF, Ethereum VM, M68K, M680X, Mips, MOS65XX, PPC, RISC-V, SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore, and X86 (16/32/64-bit). The framework offers a clean, intuitive API and provides detailed instruction information such as implicit registers read and written, making it suitable for advanced analysis tasks.

The cstool command-line tool enables users to disassemble hexadecimal strings directly from the terminal, supporting various architectures and modes like big-endian ARM or AT&T syntax for X86. This is particularly useful for quick disassembly tasks in reverse engineering workflows.

Capstone's high performance and thread-safe design make it ideal for malware analysis, capable of handling complex X86 malware techniques. It supports embedding into firmware or OS kernels and is distributed under the BSD license with bindings for numerous programming languages.

Capstone operates as a disassembly engine that takes hexadecimal input strings representing machine code and outputs disassembled instructions with detailed semantics. It supports multiple architectures through its architecture-neutral API implemented in pure C. The cstool tool processes input via specified architecture-mode combinations (e.g., x64, armbe), applying options like SKIPDATA mode or unsigned immediates. Instructions are decomposed with details on registers accessed and syntax variants like AT&T for X86.