feat: add ARM disassembler operation

[thomasxm]

Summary

• Adds new "Disassemble ARM" operation for ARM architecture disassembly
• Uses Capstone disassembly framework with vendored capstone.min.js (includes upstream bug fix)
• Supports ARM (32-bit), Thumb, and ARM64 (AArch64) architectures

Details

Supported Architectures

Architecture	Modes
ARM (32-bit)	ARM, Thumb, Thumb + Cortex-M, ARMv8
ARM64 (AArch64)	Default

Features

• Little Endian and Big Endian support
• Configurable starting address for position-independent analysis
• Toggle instruction hex bytes display
• Toggle instruction position display

Why Capstone?

Capstone is the industry standard disassembly framework used by:

• Radare2, Binary Ninja, IDA Pro plugins
• Frida, Unicorn Engine, QEMU
• Angr, Pwntools, ROPgadget

This ensures accurate disassembly for security research and binary analysis.

Test plan

11 automated tests covering ARM32, ARM64, and Thumb modes

Manual test vectors

ARM32:
Input: 0100a0e3 001081e0 001041e0
Output:
mov r0, #1
add r1, r1, r0
sub r1, r1, r0

ARM64:
Input: fd7bbfa9 fd030091 c0035fd6
Output:
stp x29, x30, [sp, #-0x10]!
mov x29, sp
ret

Thumb:
Input: 80b5 0844 80bd
Output:
push {r7, lr}
add r0, r1
pop {r7, pc}

Files changed

File	Change
package.json	Add @alexaltea/capstone-js dependency
src/core/operations/DisassembleARM.mjs	New operation
src/core/vendor/capstone.min.js	Vendored Capstone with bug fix
src/core/config/Categories.json	Add to "Other" category
tests/operations/tests/DisassembleARM.mjs	Test suite
tests/operations/index.mjs	Register tests

[GCHQDeveloper581]

At the moment this is pulling in capstone.min.js in two different ways (through the "@alexaltea/capstone-js" package, and through the vendor import) but only using the vendor import version.

I've checked and the package version can be used by changing the import in src/core/operations/DisassembleARM.mjs to

import cs from "@alexaltea/capstone-js/dist/capstone.min.js";

which still passes all your tests, and seems to work in browser.

This would be the slightly preferred method if there's not otherwise a problem with the npm package as it saves cluttering up the code base with additional vendor imports.

If the vendor import version is needed (and in which case there should be a test that distinguishes between the package and vendor import versions to avoid someone "cleaning up" at a later date) then the vendor import will need something at the top to establish provenance (where you've pulled it in from, and in particular what the "upstream bug fix" is), and to establish the MIT license that covers the code.

Either way the one you aren't using wants to be removed.

Otherwise looks pretty good (though I note there's currently a merge conflict).

[thomasxm]

Thanks for the review. I've switched to using the npm package import (@alexaltea/capstone-js/dist/capstone.min.js) and removed the vendored copy.

The upstream bug fix is a single line: the ccall to cs_disasm passes 7 arguments (Emscripten splits the uint64_t offset into two 32-bit values), but the npm version only declares 6 types in the array. The vendor copy fixes this to 7, which is technically correct. In test though, it makes no difference with this Emscripten build. ccall only runs converters for 'string' and 'array' types. Everything else, including 'number', 'pointer', and even the undefined you get from reading past the end of the types array, just gets passed through as-is. I couldn't produce any input that behaves differently between the two versions, so there's no practical distinguishing test to write. On that basis the npm package seemed the sensible route.

Also rebased onto current master so the merge conflict is resolved.

[GCHQDeveloper581]

Looks good! Thanks for your contribution.