Learn Reverse Engineering with Capstone Disassembler for C/C++

Abhinay KumarAbhinay Kumar
2 min read

Table of contents

Introduction

Disassemblers are tools that convert raw machine code back into human-readable assembly instructions.
Whether you’re doing reverse engineering, malware analysis, binary translation, or developing low-level debugging tools — you’ll need a reliable disassembly engine.

Capstone is one of the most popular open-source disassembly frameworks, and for good reason:

  • Cross-platform comptabilty (Windows, Linux, macOS)

  • Multi-architecture support (x86, ARM, MIPS, PowerPC, etc.)

  • Ease of embedding in tools and scripts

  • Integration with major reverse engineering frameworks like Ghidra, Radare2, and Binary Ninja.

Features of Capstone

  • Multi-architecture: Supports x86/x86-64, ARM, ARM64, MIPS, PowerPC, SPARC, and more.

  • Multi-platform: Works on Linux, Windows and macOS.

  • Open Source: BSD-licensed, free for commercial and academic use.

  • Bindings: Provides a C API and wrappers for Python,Java , Go and more.

  • Detailed Disassembly: Offers access to mnemonic, operands, registers, and instruction details.

Installation

For Linux (Debian/Ubuntu)

sudo apt update
sudo apt install libcapstone-dev

Windows

  • Download precompiled binaries from Capstone releases

  • Alternatively, build from source using CMake.

macOS(Homebrew)

brew install capstone

Example to get Started in C

#include <stdio.h>
#include <inttypes.h>
#include <capstone/capstone.h>

int main() {
    csh handle;
    cs_insn *insn;
    size_t count;

    // x86 machine code: "mov eax, ebx; add eax, ecx"
    uint8_t code[] = { 0x89, 0xD8, 0x01, 0xC8 };

    if (cs_open(CS_ARCH_X86, CS_MODE_32, &handle) != CS_ERR_OK)
        return -1;

    count = cs_disasm(handle, code, sizeof(code), 0x1000, 0, &insn);
    if (count > 0) {
        for (size_t i = 0; i < count; i++) {
            printf("0x%"PRIx64":\t%s\t%s\n",
                insn[i].address, insn[i].mnemonic, insn[i].op_str);
        }
        cs_free(insn, count);
    } else {
        printf("ERROR: Failed to disassemble code!\n");
    }

    cs_close(&handle);
    return 0;
}

Output

0x1000:    mov    eax, ebx
0x1002:    add    eax, ecx

Understanding the API

  • cs_open() → Initialize a disassembler handle for a given architecture and mode

  • cs_disasm() → Disassemble the given byte array into readable instructions

  • cs_free() → Free the allocated instruction array

  • cs_close() → Clean up and close the handle

Disassembling from a File

You can extend the example to:

  1. Read an executable file into memory

  2. Pass the relevant byte section to Capstone

  3. Print the disassembled instructions

(This requires knowing the file format — ELF for Linux, PE for Windows — and parsing it to extract code sections.)

Conclusion

Capstone makes low-level binary work accessible, fast, and portable. With just a few lines of code, you can embed powerful disassembly capabilities into your own tools.

Where to go next

https://github.com/capstone-engine/capstone
0
Subscribe to my newsletter

Read articles from Abhinay Kumar directly inside your inbox. Subscribe to the newsletter, and don't miss out.

System Softwarelow level programmingreverse engineeringstatic malware analysisassembly x86/64 assembly programmingdisassembler

Written by

Abhinay Kumar
Abhinay Kumar