The development of Chrysalide remains active, and its analysis process has been lately focused on binary scanning.

On this matter, the YARA tool from VirusTotal is commonly adopted, but the program evolves quite slowly and any module addition requires recompiling the whole project. So ROST gets created with these key principles in mind:

• allowing to define new functions and namespaces as keywords for the match conditions;
• offering extension capabilities through native modules or Python scripts;
• making easier to process scan results, with an optional JSON output;
• supporting a lot of formats, relying on definitions from Kaitai Struct for the parsing process.

The ROST's grammar is similar to the YARA`s one, with some minor incompatibilities. A provided tool, yara2rost, may help to translate on the fly existing YARA rules without effort.

Here is a mandatory Hello World example to show ROST in action:

$ echo "Hello world!" | iconv -f ascii -t utf-16le > hello.bin

$ cat hello.rost

rule HelloWorld {

    bytes:
        $w = "world" wide

    condition:
        $w

}

$ rost -j hello.rost hello.bin | jq '.[] | [ .matched, .bytes_patterns[0].matches[0].offset ]'
[
  true,
  12
]

Regular output is also available:

$ rost -s hello.rost hello.bin
HelloWorld hello.bin
0xc:$w: w\x00o\x00r\x00l\x00d\x00

Even if some important features are still missing (such as support for loops or regular expressions), ROST is currenly usable and this blog post highlights a few new capabilities through real world cases.

For more information, the documentation provides all the details of the implementation current state.

For the record, this article is based on commit ab6b87b7, so you can give this version of ROST a try by installing one of the available packages or by running:

git clone http://git.0xdeadc0de.fr/chrysalide.git
cd chrysalide
git checkout ab6b87b7

→ Read next...

More than one year has passed since the last blog post.

No news, good news.

A lot of improvements have been committed, as the statistics show:

git diff --stat 3d2576f..HEAD | tail -1
 1818 files changed, 62736 insertions(+), 68424 deletions(-)

A small Python script has also been created to plot the development activity for 2018:

The number of past and incoming evolutions is quite huge, so here is a quick summary of three major changes.

The following article is based on commit ce43a13d, so you can give this version of Chrysalide a try by running:

git clone http://git.0xdeadc0de.fr/chrysalide.git
cd chrysalide
git checkout ce43a13d

As usual, the next step is to follow the installation procedure.

→ Read next...

There is a common point that all software products share in their development cycles: features are regularly added, code (mostly) works but at a given time some parts of the product need to be rewritten.

The root causes are multiple: refactoring, API update, aso. In the Chrysalide's case scaling was a huge problem that prevents the final user to load large binaries without many RAM available.

The last weeks have seen many improvements about this concern, so here is a few hints to make your own disassembler more memory-friendly!

The following news is based on commit 3d2576f, so you can give this version of Chrysalide a try by running:

git clone http://git.0xdeadc0de.fr/chrysalide.git
cd chrysalide
git checkout 3d2576f

→ Read next...

There have been 31 commits for this month, and the statistics provide a small overview of the done work:

git diff --stat 027305c..HEAD | tail -1
 157 files changed, 14424 insertions(+), 3393 deletions(-)

Bugs have been fixed, some new features have been implemented and but many ideas are still pending...

It is hard to find enough time to code everything!

The following news is based on commit ebe248f, so you can give this version of Chrysalide a try by running:

git clone http://git.0xdeadc0de.fr/chrysalide.git
cd chrysalide
git checkout ebe248f

As usual, the next step is to follow the installation procedure.

→ Read next...

A lot of time has been spent on the new version of the website, so there are only a few changes for this February digest.

The following news is based on commit 027305c, so you can give this version of Chrysalide a try by running:

git clone http://git.0xdeadc0de.fr/chrysalide.git
cd chrysalide
git checkout 027305c

And then follow the installation procedure.

The statistics provide a small overview of the done work:

git diff --stat 2834917..HEAD | tail -1
 87 files changed, 4369 insertions(+), 1711 deletions(-)

→ Read next...

This is the third and last digest for 2016 about what happened to the the development of Chrysalide during the last months.

The following news is based on commit cfe99bb, so you can give this version of Chrysalide a try by running:

git clone http://git.0xdeadc0de.fr/chrysalide.git
cd chrysalide
git checkout cfe99bb

And then follow the installation procedure.

→ Read next...

This is the second digest of what happened to the the development of Chrysalide during the last month.

The following news is based on commit df579a2, so you can give this version of Chrysalide a try by running:

git clone http://git.0xdeadc0de.fr/chrysalide.git
cd chrysalide
git checkout df579a2

And then follow the installation procedure.

→ Read next...

This is the first digest of what happened to the the development of Chrysalide during the last month.

It gives details about some of the main new features or about the fixed bugs for all of those who are interested in the project.

The following news is based on commit 537ed96, so you can give this version of Chrysalide a try by running:

git clone http://git.0xdeadc0de.fr/chrysalide.git
cd chrysalide
git checkout 537ed96

And then follow the installation procedure.

→ Read next...

Chrysalide is a brand-new reverse engineering tool. Its early features allow it to be used to succeed in small online challenges.

This presentation provides some details about its advantages compared to other similar tools, based on a past CTF.

→ Read next...

Why an alpha version?

• version: Chrysalide is in development for a long period, and it is time to rub the software against the outside world. The idea is to submit it to the competition and a wider range of users, in order to boost its development.
• alpha: Chrysalide is not very well-tried for now. Sometimes it crashes, and still has many bugs (Python memory leaks or Cairo impressions for example).

→ Read next...