Capstone support?

[GoogleCodeExporter]

Is there any plan to use Capstone disassembly framework for EDB? It has amazing 
features, and has better support for x86 (besides Arm, Arm64, etc) than other 
frameworks I think. 

Capstone has BSD license, so I think it can be used by EDB.

Original issue reported on code.google.com by junkoi2...@gmail.com on 7 Apr 2014 at 6:39

[GoogleCodeExporter]

There are no current plans to support 3rd party disassembly engines in edb. Is 
there some compelling feature that it offers that edb can't currently provide?

The ARM support is intriguing, but I would need to update a lot more than just 
the disassembly engine to support it in edb. Specifically the core debugger 
plugin would need a massive update. So that's a whole other feature request :-).

Original comment by evan.teran on 8 Apr 2014 at 2:27

• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

Is the current disasm engine built by you? If so, there is a good chance that 
Capstone supports more X86 modern instructions than your (and can be more 
accurate, too).

If you need the breakdown details from instruction operands, that is also 
available.

http://capstone-engine.org/features.html

Original comment by junkoi2...@gmail.com on 9 Apr 2014 at 10:55

[GoogleCodeExporter]

Yes, the current engine is built by me.

While I'm sure that Capstone is a good disassember (there are many). It would 
be an awful lot of work to change how EDB works to use it instead of the 
current one. Unfortunately, "a good chance" of it supporting something is not a 
good enough reason to justify the effort (and possible introduction of bugs).

If there is a specific, useful feature that it offers which EDB (and edisassm) 
currently do not, then it may be worth looking into.

But as I said the amount of effort does not seem to be justified by the 
*possible* (if any) gains.

I'm closing this bug for now. Feel free to reopen if there is one or more 
specific features in Capstone which you think justifies the effort to support 
it.

Original comment by evan.teran on 18 Apr 2014 at 7:23

• Changed state: WontFix

[GoogleCodeExporter]

I understand your point, but users who use edb to analyze malware might not 
agree: having a robust, capable disassembler is a must, especially because 
malware use a lot of tricks with undocumented/weird x86 instructions.

Capstone looks like the most capable x86 disassembler out there. The authors 
are actively working on it, too.

    https://twitter.com/capstone_engine/status/461125984884756481

Thanks.

Original comment by junkoi2...@gmail.com on 2 May 2014 at 1:26

[GoogleCodeExporter]

@junkoi2004:

It seems like you are making some assumptions about the current disassembly 
engine. Specifically it feels like you are assuming the following about 
edisassm (the current engine):

1. it is not under active development.
2. it is not robust.
3. it is not "capable".
4. it may have trouble with "tricky" x86 instructions.

I would disagree with ALL of these assumptions you appear to be making.

Instead of pointing to something lacking in the current disassembly engine, you 
have been pointing to things you think are good about capstone without 
demonstrating that those same things are currently lacking.

To be frank, that's a sales pitch, not a bug report.

I am more thank happy to seriously consider other disassembly engines, 
including capstone. But above all else. The number one thing that would be 
needed to make that even remotely reasonable, would be to show me how the 
current engine is falling short.

I have taking a look at the twitter post you referenced and will correct 
edisassm to disassemble those byte sequences properly once I have confirmed 
that capstone's disassembly is correct :-).

Original comment by evan.teran on 2 May 2014 at 6:29