Capstone – multi-platform, multi-architecture disassembly framework

As one who helped improved Capstone and its even more wonderful partner, Unicorn, I actually found an exploit in QEMU using Capstone/Unicorn.

Unicorn is a nearly-true software-based CPU emulator for ARM, AArch64, M68K, Mips, Sparc, PowerPC, RiscV, S390x, TriCore, X86 CPU (and memory) architecture.

This pair-up is arguably the best set of software tools out there.

QEMU? No worry, that's way back in QEMU v1.4 days (emulation of Intel IMUL lb/DWORD OPC_IMUL_GvEvlb opcode getting tripped up by XOR opcode doing self-modified operand and TLB cache didn't flush, resulting in a double XOR; ROT13x2 anyone?)

Fabrice fixed it then and is still blazing at QEMU 10.0 now. Ain't he awesome?

Yeah, I actually ran portion of TLB of QEMU thru unicorn back then.

https://github.com/unicorn-engine/unicorn/issues/364

Not quite related, but I figure the audience might have some overlap: what is going on with Keystone?

Capstone's coverage of ARM, RISC-V, and other architectures makes it strong for reverse engineering. When used with its sibling project Keystone, switching from disassembly to assembly across platforms becomes straightforward for researchers.