Disassembler and Decompiler

In essence, a disassembler is the exact opposite of an assembler. Where an assembler converts code written in an assembly language into binary machine code, a disassembler reverses the process and attempts to recreate the assembly code from the binary machine code.

Since most assembly languages have a one-to-one correspondence with underlying machine instructions, the process of disassembly is relatively straight-forward, and a basic disassembler can often be implemented simply by reading in bytes, and performing a table lookup. Of course, disassembly has its own problems and pitfalls, and they are covered later in this chapter.

Many disassemblers have the option to output assembly language instructions in Intel, AT&T, or (occasionally) HLA syntax. Examples in this book will use Intel and AT&T syntax interchangeably. We will typically not use HLA syntax for code examples, but that may change in the future.

Here we are going to list some commonly available disassembler tools. Notice that there are professional disassemblers (which cost money for a license) and there are freeware/shareware disassemblers. Each disassembler will have different features, so it is up to you as the reader to determine which tools you prefer to use.

• ODA: is a free, web-based disassembler for a wide variety of architectures. You can use “Live View” to see how code is disassembled in real time, one byte at a time, or upload a file. The site is currently in beta release but will hopefully only get better with time.

• IDA Pro (version 6.x): is a professional disassembler that is expensive, extremely powerful, and has a whole slew of features. The downside to IDA Pro is that it costs $515 US for the standard single-user edition. As such this wikibook will not consider IDA Pro specifically because the price tag is exclusionary. Freeware versions do exist; see below.

• Relyze Desktop: is an interactive software reverse engineering tool that lets you disassemble, decompile and diff x86, x64, ARM32 and ARM64 software.

• Hopper Disassembler: is a reverse engineering tool for the Mac, that lets you disassemble, decompile and debug 32/64bits Intel Mac executables. It can also disassemble and decompile Windows executables.

• OBJ2ASM: is an object file disassembler for 16 and 32 bit x86 object files in Intel OMF, Microsoft COFF format, Linux ELF or Mac OS X Mach-O format.

• PE Explorer: is a disassembler that “focuses on ease of use, clarity and navigation.” It isn't as feature-filled as IDA Pro and carries a smaller price tag to offset the missing functionality: $130

• W32DASM (Win32dasm): W32DASM was an excellent 16/32 bit disassembler for Windows, it seems it is no longer developed. the latest version available is from 2003. the website went down and no replacement went up.

• Binary Ninja: Binary Ninja is a commercial, cross-platform (Linux, OS X, Windows) reverse engineering platform with aims to offer a similar feature set to IDA at a much cheaper price point. A precursor written in python is open source and available at https://github.com/Vector35/deprecated-binaryninja-python. Introductory pricing is $99 for student/non-commercial use, and $399 for commercial use.

• Hiew: x86-64 disassembler & assembler. Single license pricing is $19, and $199 with lifetime updates.

• OllyDbg is one of the most popular disassemblers recently. It has a large community and a wide variety of plugins available. It emphasizes binary code analysis. Supports x86 instructions only (no x86_64 support for now, although it is on the way).

• plugins
• 64 bit version

• Capstone is an open source disassembly framework for multi-arch (including support for x86, x86_64) & multi-platform with advanced features.
• Zydis Fast and lightweight x86/x86-64 decoder library. It does not offer disassembler features such as linear sweep or recursive disassembling.
• Objconv A command line disassembler supporting 16, 32, and 64 bit x86 code. Latest instruction set (SSE4, AVX, XOP, FMA, etc.), several object file formats, several assembly syntax dialects. Windows, Linux, BSD, Mac. Intelligent analysis.
• IDA 3.7 (search for ida37fw) A DOS GUI tool that behaves very much like IDA Pro, but is considerably more limited. It can disassemble code for the Z80, 6502, Intel 8051, Intel i860, and PDP-11 processors, as well as x86 instructions up to the 486.
• IDA Pro Freeware: Behaves almost exactly like IDA Pro, but disassembles only Intel x86 opcodes and is Windows-only. It can disassemble instructions for those processors available as of 2003. Free for non-commercial use.

• version 4.1
• version 4.3
• version 5.0
• version 7.0

• BORG Disassembler: BORG is an excellent Win32 Disassembler with GUI.
• HT Editor: An analyzing disassembler for Intel x86 instructions. The latest version runs as a console GUI program on Windows, but there are versions compiled for Linux as well.
• diStorm64: diStorm is an open source highly optimized stream disassembler library for 80×86 and AMD64.
• crudasm crudasm is an open source disassembler with a variety of options. It is a work in progress and is bundled with a partial decompiler.
• BeaEngine: BeaEngine is a complete disassembler library for IA-32 and intel64 architectures (coded in C and usable in various languages : C, Python, Delphi, PureBasic, WinDev, masm, fasm, nasm, GoAsm).
• Visual DuxDebugger: is a 64-bit debugger disassembler for Windows.
• BugDbg: is a 64-bit user-land debugger designed to debug native 64-bit applications on Windows.
• DSMHELP: Disassemble Help Library is a disassembler library with single line Epimorphic assembler. Supported instruction sets - Basic,System,SSE,SSE2,SSE3,SSSE3,SSE4,SSE4A,MMX,FPU,3DNOW,VMX,SVM,AVX,AVX2,BMI1,BMI2,F16C,FMA3,FMA4,XOP. (in Russian)
• ArkDasm: is a 64-bit interactive disassembler and debugger for Windows. Supported processor: x64 architecture (Intel x64 and AMD64)
• SharpDisam: is a C# port of the udis86 x86 / x86-64 disassembler
• CFF Explorer: Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc.
• bddisasm: fast, lightweight, x86/x64 instruction decoding library.

Many of the Unix disassemblers, especially the open source ones, have been ported to other platforms, like Windows (mostly using MinGW or Cygwin). Some Disassemblers like otool ([OS X) are distro-specific.

• Capstone: Capstone is an open source disassembly framework for multi-arch (including support for x86, x86_64) & multi-platform (including Mac OSX, Linux, *BSD, Android, iOS, Solaris) with advanced features.
• Bastard Disassembler: The Bastard disassembler is a powerful, scriptable disassembler for Linux and FreeBSD.
• ndisasm: NASM's disassembler for x86 and x86-64. Works on DOS, Windows, Linux, Mac OS X and various other systems.
• udis86: Disassembler Library for x86 and x86-64
• Zydis: Fast and lightweight x86/x86-64 disassembler library.
• Objconv: See above.
• ciasdis: The official name of ciasdis is computer_intelligence_assembler_disassembler. This Forth-based tool allows to incrementally and interactively build knowledge about a code body. It is unique that all disassembled code can be re-assembled to the exact same code. Processors are 8080, 6809, 8086, 80386, Pentium I en DEC Alpha. A scripting facility aids in analyzing Elf and MSDOS headers and makes this tool extendable. The Pentium I ciasdis is available as a binary image, others are in source form, loadable onto lina Forth, available from the same site.
• objdump : comes standard, and is typically used for general inspection of binaries. Pay attention to the relocation option and the dynamic symbol table option.
• gdb : comes standard, as a debugger, but is very often used for disassembly. If you have loose hex dump data that you wish to disassemble, simply enter it (interactively) over top of something else or compile it into a program as a string like so: char foo[] = {0x90, 0xcd, 0x80, 0x90, 0xcc, 0xf1, 0x90};
• lida linux interactive disassembler: an interactive disassembler with some special functions like a crypto analyzer. Displays string data references, does code flow analysis, and does not rely on objdump. Utilizes the Bastard disassembly library for decoding single opcodes. The project was started in 2004 and remains dormant to this day.
• dissy : This program is a interactive disassembler that uses objdump.
• EmilPRO : replacement for the deprecated dissy disassembler.
• x86dis : This program can be used to display binary streams such as the boot sector or other unstructured binary files.
• ldasm: LDasm (Linux Disassembler) is a Perl/Tk-based GUI for objdump/binutils that tries to imitate the 'look and feel' of W32Dasm. It searches for cross-references (e.g. strings), converts the code from GAS to a MASM-like style, traces programs and much more. Comes along with PTrace, a process-flow-logger. Last updated in 2002, available from Tucows.
• llvm: LLVM has two interfaces to its disassembler:

• llvm-objdump : Mimics GNU objdump.
• llvm-mc See the LLVM blog.

Example usage: