grap: define and match graph patterns within binaries:
grap takes patterns and binary files, uses a Casptone-based disassembler to obtain the control flow graphs from the binaries, then matches the patterns against them. Patterns are user-defined graphs with instruction conditions (“opcode is xor and arg1 is eax”) and repetition conditions (3 identical instructions, basic blocks…). grap is both available as a standalone tool with a disassembler and as an IDA plugin which takes advantage of the disassembly done by IDA and the reverser.




CaptainHook is hooking framwork for x86/x64 arch, it’s based on capstone disassembler engine. CaptainHook equipped with smart engine (TO FINISH). CaptainHook is easy to using, and very freandly. the hook engine is much like MS Detours, so why to choose it?

* its support x64 (Detours x64 is commerical – $10,000~)
* CaptainHook will know where to locate your hook in real time, its analyze the code, and find if small API redirection (Wow64 hook on kernelbase for example, or on protector like VMP or Themida) was occurred
* in the next release, CaptainHook will contain an engine for jmp/conditional jmp repair – if your hook corrupt sensitive code
* in the next release, CaptainHook will contain more hook type, like PageGuard hooking etc.



cemu – Cheap EMUlator: Qt GUI of Keystone, Unicode, Capstone

Hugsy has created cemu, the Cheap EMUlator that shellcoders will enjoy:

Cheap EMUlator is a simple tool to combine together all the features of Keystone, Unicorn and Capstone engines in a Qt powered GUI. It allows to test binary samples, check your shellcodes or even simply learn how to write assembly code, all of this for the following architectures:

    x86-32 / x86-64
    Arm / AArch64
    MIPS / MIPS64
    (more to come)

    unicorn and its Python bindings, as the emulation engine
    keystone and its Python bindings, as the assembly engine
    capstone and its Python bindings, as the disassembly engine
    PyQt5 for the GUI
    pygments for the text colorization

Moar info:



PLASMA: interactive disassembler generates pseudocode

There’s a new disassembler that looks like it has nice output:

PLASMA is an interactive disassembler. It can generate a more readable assembly (pseudo code) with colored syntax. You can write scripts with the available Python api. It supports :
*  architectures : x86, ARM, MIPS{64} (partially)
 *  formats : ELF, PE, RAW



Keystone Project announced

Nguyen Anh Quynh announced the Keystone Engine Project, with an IndieGogo funding campaign to help them:

We are very excited to announce our IndieGogo campaign for Keystone Engine, the next-gen assembler framework! After Capstone & Unicorn, Keystone is the latest of our on-going effort to bring better tools to the reverse-engineering community. Now with the final missing piece Keystone, we complete the magical trilogy of disassembler – emulator – assembler. Come support us, and help to spread the news, so together we can solve the lingering problem of missing the assembler framework once, and for all! The Keystone name came from some private conversation with Felix “FX” Lindner. Thanks for such a great inspiration, FX!