The METASM assembly manipulation suite

• 2009/03: metasm is now compatible with ruby 1.9
• 2009/01: the debugger interface can speak with a gdb-server over network (samples/lindebug.rb host:port)
• 2008/12: support for Mach-O and UniversalBinary executable file formats
• 2008/12: support for decoding PPC binary code
• 2008/11: GTK graphical interface for the disassembler (samples/disassemble-gtk.rb)
• 2008/04: can generate a minimal C header from pe or elf imports and a C header set (samples/factorize-headers-*.rb)
• 2007/10: linux console interface for debugging (samples/lindebug.rb)
• 2007/09: minimal C compiler for ia32
• 2007/08: full-blown C parser
• 2007/06: full-fledged C preprocessor
• 2007/06: support for PE/COFF file format
• 2007/04: support for ELF file format

Metasm is a cross-architecture assembler, disassembler, compiler, linker and debugger.

It has some advanced features such as remote process manipulation, GCC-compatible preprocessor, automatic backtracking in the disassembler ("slicing"), C headers shrinking, linux/windows debugging API interface, a C compiler, a gdb-server compatible debugger, and various advanced features. It is written in pure Ruby.

Metasm has been written in such a way that it is easy to add a new architecture. For now, the following architectures are supported:

• Intel IA32
• MIPS
• PPC
• Maybe later:
  • IA32e (64bits)
  • ARM
  • Cell
  • SPARC

The following file formats are supported:

• Raw (for shellcodes)
• MZ, PE/COFF (32 and 64 bits)
• ELF (32 and 64 bits)
• Mach-O and UniversalBinary
• a few other formats (a.out, xcoff, nds)

This tool was mainly developed from 2006 to Sept. 2008 at France Telecom R&D. Starting from Oct. 2008, Yoann Guillot will continue development at Sogeti/ESEC.

Metasm has been integrated into Metasploit, however the Metasploit trunk is not necessarily synced with the latest version.

Yoann GUILLOT (Developer) and Julien TINNES (Sales ;) (The 'contact' link on the left is the prefered way to contact us.)

The README documents most stable features.

The samples directory holds a bunch of scripts which demonstrate the use of more or less advanced features (read the comments at the beginning of each file.)

However, the source is the most complete doc available ;)

A few publications on the framework:

• SSTIC 09 article (in French) about automatic binary deobfuscation with metasm.
• SSTIC 08 slides and article (in French), article (in English, translated for the Journal of Computer Virology). Semi automatic unpacking and decompiling with Metasm (covers T2'07 challenge and Fabrice Desclaux' poeut.exe (mirrored here). Scripts here and here -- those may need an old version of the framework to run.
• hack.lu slides October 2007 - covers a more recent version with the C compiler and Rubstop.
• SSTIC 07 slides June 2007 - in French
• SSTIC 07 article March 2007 - in French - This article covers a deprecated version but might still have some relevant information.

The current developement snapshot is no longer available as a zip file..

To download metasm, you should use mercurial and clone the testing repository:
hg clone https://metasm.cr0.org/hg/metasm

Afterwards you can keep in sync with the latest version by using
hg pull -u

You can also download metasm v0.1 here (completely obsolete).