PyREBox is a Python scriptable Reverse Engineering sandbox. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective. PyREBox allows to inspect a running QEMU VM, modify its memory or registers, and to instrument its execution, by creating simple scripts in python to automate any kind of analysis. QEMU (when working as a whole-system-emulator) emulates a complete system (CPU, memory, devices…). By using VMI techniques, it does not require to perform any modification into the guest operating system, as it transparently retrieves information from its memory at run-time. Several academic projects such as DECAF, PANDA, S2E, or AVATAR, have previously leveraged QEMU based instrumentation to overcome reverse engineering tasks. These projects allow to write plugins in C/C++, and implement several advanced features such as dynamic taint analysis, symbolic execution, or even record and replay of execution traces. With PyREBox, we aim to apply this technology focusing on keeping the design simple, and on the usability of the system for threat analysts.

Unicorn Emulator 1.0.1 released

Nguyen Anh Quynh announced the 1.0.1 release of the Unicorn CPU Emulator.

[unicorn-engine] Unicorn Emulator v1.0.1 is out!
We are excited to announce version 1.0.1 for Unicorn CPU Emulator framework! This is a stable release, in which we fixed some issues in the core, added some features on Arm, Arm64, Mips & X86. […]


grap: define and match graph patterns within binaries:
grap takes patterns and binary files, uses a Casptone-based disassembler to obtain the control flow graphs from the binaries, then matches the patterns against them. Patterns are user-defined graphs with instruction conditions (“opcode is xor and arg1 is eax”) and repetition conditions (3 identical instructions, basic blocks…). grap is both available as a standalone tool with a disassembler and as an IDA plugin which takes advantage of the disassembly done by IDA and the reverser.


CaptainHook is hooking framwork for x86/x64 arch, it’s based on capstone disassembler engine. CaptainHook equipped with smart engine (TO FINISH). CaptainHook is easy to using, and very freandly. the hook engine is much like MS Detours, so why to choose it?

* its support x64 (Detours x64 is commerical – $10,000~)
* CaptainHook will know where to locate your hook in real time, its analyze the code, and find if small API redirection (Wow64 hook on kernelbase for example, or on protector like VMP or Themida) was occurred
* in the next release, CaptainHook will contain an engine for jmp/conditional jmp repair – if your hook corrupt sensitive code
* in the next release, CaptainHook will contain more hook type, like PageGuard hooking etc.

cemu – Cheap EMUlator: Qt GUI of Keystone, Unicode, Capstone

Hugsy has created cemu, the Cheap EMUlator that shellcoders will enjoy:

Cheap EMUlator is a simple tool to combine together all the features of Keystone, Unicorn and Capstone engines in a Qt powered GUI. It allows to test binary samples, check your shellcodes or even simply learn how to write assembly code, all of this for the following architectures:

    x86-32 / x86-64
    Arm / AArch64
    MIPS / MIPS64
    (more to come)

    unicorn and its Python bindings, as the emulation engine
    keystone and its Python bindings, as the assembly engine
    capstone and its Python bindings, as the disassembly engine
    PyQt5 for the GUI
    pygments for the text colorization

Moar info:


PLASMA: interactive disassembler generates pseudocode

There’s a new disassembler that looks like it has nice output:

PLASMA is an interactive disassembler. It can generate a more readable assembly (pseudo code) with colored syntax. You can write scripts with the available Python api. It supports :
*  architectures : x86, ARM, MIPS{64} (partially)
 *  formats : ELF, PE, RAW

Keystone Project announced

Nguyen Anh Quynh announced the Keystone Engine Project, with an IndieGogo funding campaign to help them:

We are very excited to announce our IndieGogo campaign for Keystone Engine, the next-gen assembler framework! After Capstone & Unicorn, Keystone is the latest of our on-going effort to bring better tools to the reverse-engineering community. Now with the final missing piece Keystone, we complete the magical trilogy of disassembler – emulator – assembler. Come support us, and help to spread the news, so together we can solve the lingering problem of missing the assembler framework once, and for all! The Keystone name came from some private conversation with Felix “FX” Lindner. Thanks for such a great inspiration, FX!

MacDBG: new Mac OS X debugger

Tyler Bohan has released a new debugging tool for Mac OS X, including a Capstone-based dissassembler:

Excerpt from readme:

Mac Debugger is simple easy to use C and python debugging framework for OSX. Mac Debugger was created with the focus on giving the programmer a powerful framework to programatically create scripts to debug programs on Mac OSX not found in other products for the platform. The core of macdbg, written in C, is kept as minimal as possible to provide enough basic interaction between the kernel and userland to create powerful features. Higher level functionality is left to the Python implementation such as stack tracing, dissasembly, watchpoints, thread state, and more. A wrapper class is provided for the programmer to create a scripting program. […]

BinWalk 2.1.1 released

New to 2.1.1:
    Many bug fixes
    New/improved file signatures
    Disassembly scans (using the Capstone Engine)
    Improved raw Deflate compression detection and extraction
    Raw LZMA compression detection and extraction
    Improved false positive detection for common compressions (Zlib, LZMA)
    An IDA plugin for running binwalk inside of IDA
    Integration of better extraction utilities (e.g., sasquatch for SquashFS, jefferson for JFFS2)
    Removal of all C library dependencies, including libmagic – pure Python!
    Native Windows support!

Immunity: free Infiltrate tickets for improving BinNavi

Dave Aitel of Immunity has announced free tickets to Infiltrate for people who can improve the recently-opensourced BinNavi project:

Every year, from HackCup to various coding challenges, we like to think of unique ways you can join us at THE BEST SECURITY CONFERENCE here in Miami next April 7th and 8th. We are starting this year with two new contests now that BinNavi is Open Sourced: 1) If you and your friends add Capstone (or another disassembler/analyzer) to BinNavi, to remove the IDA requirement, then we will send you three free tickets to INFILTRATE 2016! 2) If you and your friends integrate a decompiler with BinNavi, then we will also send you three free tickets to INFILTRATE 2016! If you do both, you get six free tickets to INFILTRATE.