Disassembler

This article includes a list of general references but it lacks sufficient corresponding inline citations Please help to improve this article by introducing more precise citations December 2009 Learn how and when to remove this message A disassembler is a computer program that translates machine language into assembly language the inverse operation to that of an assembler The output of disassembly is typically formatted for human readability rather than for input to an assembler making disassemblers primarily a reverse engineering tool Common uses include analyzing the output of high level programming language compilers and their optimizations recovering source code when the original is lost performing malware analysis modifying software such as binary patching and software cracking A disassembler differs from a decompiler which targets a high level language rather than an assembly language Assembly language source code generally permits the use of constants and programmer comments These are usually removed from the assembled machine code by the assembler If so a disassembler operating on the machine code would produce disassembly lacking these constants and comments the disassembled output becomes more difficult for a human to interpret than the original annotated source code Some disassemblers provide a built in code commenting feature where the generated output is enriched with comments regarding called API functions or parameters of called functions Some disassemblers make use of the symbolic debugging information present in object files such as ELF For example IDA allows the human user to make up mnemonic symbols for values or regions of code in an interactive session human insight applied to the disassembly process often parallels human creativity in the code writing process ChallengesIt is not always possible to distinguish executable code from data within a binary While common executable formats such as ELF and PE separate code and data into distinct sections flat binaries do not making it unclear whether a given location contains executable instructions or non executable data This ambiguity might complicate the disassembly process Additionally CPUs often allow dynamic jumps computed at runtime which makes it impossible to identify all possible locations in the binary that might be executed as instructions On computer architectures with variable width instructions such as in many CISC architectures more than one valid disassembly may exist for the same binary Disassemblers also cannot handle code that changes during execution as static analysis cannot account for runtime modifications Encryption packing or obfuscation are often applied to computer programs especially as part of digital rights management to deter reverse engineering and cracking These techniques pose additional challenges for disassembly as the code must first be unpacked or decrypted before meaningful analysis can begin Examples of disassemblersA disassembler can be either stand alone or interactive A stand alone disassembler generates an assembly language file upon execution which can then be examined In contrast an interactive disassembler immediately reflects any changes made by the user For example if the disassembler initially treats a section of the program as data rather than code the user can specify it as code The disassembled code will then be updated and displayed instantly allowing the user to analyze it and make further changes during the same session Any interactive debugger will include some way of viewing the disassembly of the program being debugged Often the same disassembly tool will be packaged as a standalone disassembler distributed along with the debugger For example objdump part of GNU Binutils is related to the interactive debugger gdb Binary Ninja DEBUG Interactive Disassembler IDA Ghidra Hiew Hopper Disassembler PE Explorer Disassembler Netwide Disassembler Ndisasm companion to the Netwide Assembler NASM OLIVER CICS interactive test debug includes disassemblers for Assembler COBOL and PL 1 x64dbg a debugger for Windows that also performs dynamic disassembly OllyDbg is a 32 bit assembler level analysing debugger Radare2 Rizin and Cutter graphical interface for Rizin SIMON batch interactive test debug includes disassemblers for Assembler COBOL and PL 1 a commenting 16 bit 32 bit disassembler for DOS OS 2 and Windows by V Communications in the 1990sDisassemblers and emulatorsA dynamic disassembler can be integrated into the output of an emulator or hypervisor to trace the real time execution of machine instructions displaying them line by line In this setup along with the disassembled machine code the disassembler can show changes to registers data or other state elements such as condition codes caused by each instructions This provides powerful debugging information for problem resolution However the output size can become quite large particularly if the tracing is active throughout the entire execution of a program These features were first introduced in the early 1970s by OLIVER as part of its CICS debugging product and are now incorporated into the product from Compuware Length disassemblerA length disassembler also known as length disassembler engine LDE is a tool that given a sequence of bytes instructions outputs the number of bytes taken by the parsed instruction Notable open source projects for the x86 architecture include ldisasm Tiny x86 Length Disassembler and Extended Length Disassembler Engine for x86 64 See alsoControl flow graph Data flow analysis DecompilerReferences Hopper Archived from the original on 2022 01 08 Retrieved 2022 01 25 Binary Ninja Archived from the original on 2022 01 24 Retrieved 2022 01 25 Paul Matthias R 1997 07 30 Kapitel II 5 Allgemeines Undokumentierte Moglichkeiten von DEBUG Undocumented features of DEBUG NWDOS TIPs Tips amp Tricks rund um Novell DOS 7 mit Blick auf undokumentierte Details Bugs und Workarounds MPDOSTIP in German 3 ed Archived from the original on 2017 09 10 Retrieved 2014 09 06 NB NWDOSTIP TXT is a comprehensive work on Novell DOS 7 and OpenDOS 7 01 including the description of many undocumented features and internals It is part of the author s yet larger MPDOSTIP ZIP collection maintained up to 2001 and distributed on many sites at the time The provided link points to a HTML converted older version of the NWDOSTIP TXT file PEExplorer Windows Disassembler for Win 32 bit Program EXE DLL OCX Code Binary Analysis Tool Retrieved 2022 04 25 Rizin Archived from the original on 2023 11 28 Retrieved 2023 12 09 Cutter Archived from the original on 2023 11 28 Retrieved 2023 12 09 Sourcer Commenting Disassembler September 1989 ed V Communications Inc 1988 Part Number S0989 164 Retrieved 2019 12 21 ldisasm GitHub Archived from the original on 2020 10 28 Retrieved 2020 02 26 Tiny x86 Length Disassembler GitHub Archived from the original on 2020 10 31 Retrieved 2019 12 10 Extended Length Disassembler Engine for x86 64 GitHub Archived from the original on 2020 10 08 Retrieved 2019 12 10 Further readingVinciguerra Lori M Wills Linda Kejriwal Nidhi Martino Paul Vinciguerra Ralph L 2003 An experimentation framework for evaluating disassembly and decompilation tools for C and java 10th Working Conference on Reverse Engineering 2003 WCRE 2003 Proceedings pp 14 23 doi 10 1109 WCRE 2003 1287233 ISBN 0 7695 2027 8 S2CID 10398240 Schwarz Benjamin Debray Saumya Andrews Gregory 2002 Disassembly of Executable Code Revisited Proceedings of 9th Working Conference on Reverse Engineering WCRE Department of Computer Science University of Arizona 45 54 CiteSeerX 10 1 1 85 6387 External linksLook up disassembler in Wiktionary the free dictionary List of x86 disassemblers in Wikibooks Transformation Wiki on disassembly Boomerang A general open source retargetable decompiler of machine code programs Online Disassembler Archived 2012 04 26 at the Wayback Machine a free online disassembler of arms mips ppc and x86 code