Editing Disassembler

{{Short description|Computer program to translate machine language into assembly language}}
{{More footnotes|date=December 2009}}
A '''disassembler''' is a [[computer program]] that [[translator (computing)|translate]]s [[machine language]] into [[assembly language]]—the inverse operation to that of an [[Assembly language#Assembler|assembler]]. The output of disassembly is typically formatted for human-readability rather than for input to an assembler, making disassemblers primarily a [[reverse engineering|reverse-engineering]] tool. Common uses include analyzing the output of [[high-level language|high-level programming language]] [[compiler]]s and their optimizations, recovering [[source code]] when the original is lost, performing [[malware analysis]], modifying software (such as binary patching), and [[software cracking]].

A disassembler differs from a [[decompiler]], which targets a [[high-level language]] rather than an assembly language.

Assembly language [[source code]] generally permits the use of [[constant (programming)|constant]]s and programmer [[comment (computer programming)|comment]]s. These are usually removed from the assembled [[machine code]] by the assembler. If so, a disassembler operating on the machine code would produce disassembly lacking these constants and comments; the disassembled output becomes more difficult for a human to interpret than the original annotated source code. Some disassemblers provide a built-in code commenting feature where the generated output is enriched with comments regarding called API functions or parameters of called functions. Some disassemblers make use of the [[symbolic debugging]] information present in object files such as [[Executable and Linking Format|ELF]]. For example, [[Interactive Disassembler|IDA]] allows the human user to make up mnemonic symbols for values or regions of code in an interactive session: human insight applied to the disassembly process often parallels human creativity in the code writing process.

== Challenges ==
It is not always possible to distinguish executable code from data within a binary. While common executable formats, such as [[Executable and Linkable Format|ELF]] and [[Portable Executable|PE]], separate code and data into distinct sections, flat binaries do not, making it unclear whether a given location contains executable instructions or non-executable data. This ambiguity might complicate the disassembly process.

Additionally, CPUs often allow dynamic jumps computed at runtime, which makes it impossible to identify all possible locations in the binary that might be executed as instructions.

On computer architectures with [[Instruction set architecture#Instruction length|variable-width instructions]], such as in many [[complex instruction set computer|CISC]] architectures, more than one valid disassembly may exist for the same binary.

Disassemblers also cannot handle code that changes during execution, as static analysis cannot account for runtime modifications.

Encryption, [[Executable compression|packing]], or [[Obfuscation (software)|obfuscation]] are often applied to computer programs, especially as part of [[digital rights management]] to deter reverse engineering and [[Software Cracking|cracking]]. These techniques pose additional challenges for disassembly, as the code must first be unpacked or decrypted before meaningful analysis can begin.

== Examples of disassemblers ==
A disassembler can be either stand-alone or interactive. A stand-alone disassembler generates an assembly language file upon execution, which can then be examined. In contrast, an interactive disassembler immediately reflects any changes made by the user. For example, if the disassembler initially treats a section of the program as data rather than code, the user can specify it as code. The disassembled code will then be updated and displayed instantly, allowing the user to analyze it and make further changes during the same session.

Any interactive [[debugger]] will include some way of viewing the disassembly of the program being debugged. Often, the same disassembly tool will be packaged as a standalone disassembler distributed along with the debugger. For example, [[objdump]], part of [[GNU Binutils]], is related to the interactive debugger [[gdb]].<ref name="Hopper"/>

* [[Binary Ninja]]<ref>{{Cite web |url=https://binary.ninja/ |title=Binary Ninja |access-date=2022-01-25 |archive-date=2022-01-24 |archive-url=https://web.archive.org/web/20220124090924/https://binary.ninja/ |url-status=live }}</ref>
* [[DEBUG (DOS command)|DEBUG]]<ref name="Paul_1997_NWDOSTIP"/>
* [[Interactive Disassembler]] (IDA)
* [[Ghidra]]
* [[Hiew]]
* Hopper Disassembler<ref name="Hopper">{{Cite web |url=https://www.hopperapp.com/ |title=Hopper |access-date=2022-01-25 |archive-date=2022-01-08 |archive-url=https://web.archive.org/web/20220108200723/https://www.hopperapp.com/ |url-status=live }}</ref>
* PE Explorer Disassembler<ref>{{Cite web |url=http://www.heaventools.com/PE_Explorer_disassembler.htm |title=PEExplorer Windows Disassembler for Win 32-bit Program EXE DLL OCX, Code Binary Analysis Tool |access-date=2022-04-25 }}</ref>
* Netwide Disassembler (Ndisasm), companion to the [[Netwide Assembler]] (NASM).
* OLIVER ([[CICS]] interactive test/debug) includes disassemblers for Assembler, [[COBOL]], and [[PL/1]]
* [[x64dbg]], a debugger for Windows that also performs dynamic disassembly
* [[OllyDbg]] is a 32-bit assembler level analysing debugger
* [[Radare2]]
* Rizin<ref name="Rizin">{{Cite web |url=https://rizin.re/ |title=Rizin |access-date=2023-12-09 |archive-date=2023-11-28 |archive-url=https://web.archive.org/web/20231128115203/https://rizin.re/ |url-status=live }}</ref> and Cutter<ref name="Cutter">{{Cite web |url=https://cutter.re/ |title=Cutter |access-date=2023-12-09 |archive-date=2023-11-28 |archive-url=https://web.archive.org/web/20231128115335/https://cutter.re/ |url-status=live }}</ref> (graphical interface for Rizin)
* SIMON (batch interactive test/debug) includes disassemblers for Assembler, COBOL, and PL/1
* [[Sourcer]], a commenting 16-bit/32-bit disassembler for [[DOS]], [[OS/2]] and [[Windows]] by [[V Communications]] in the 1990s<ref name="Sourcer_1989"/>

== Disassemblers and emulators==
A dynamic disassembler can be integrated into the output of an [[emulator]] or [[hypervisor]] to trace the real-time execution of machine instructions, displaying them line-by-line. In this setup, along with the disassembled machine code, the disassembler can show changes to registers, data, or other state elements (such as condition codes) caused by each instructions. This provides powerful debugging information for problem resolution. However, the output size can become quite large, particularly if the tracing is active throughout the entire execution of a program. These features were first introduced in the early 1970s by OLIVER as part of its [[CICS]] debugging product and are now incorporated into the [[XPEDITER]] product from [[Compuware]].

== Length disassembler ==
A '''length disassembler''', also known as '''length disassembler engine''' ('''LDE'''), is a tool that, given a sequence of bytes (instructions), outputs the number of bytes taken by the parsed instruction. Notable open source projects for the x86 architecture include ldisasm,<ref>{{Cite web |url=https://github.com/nomade040/length-disassembler |title=ldisasm |website=[[GitHub]] |access-date=2020-02-26 |archive-date=2020-10-28 |archive-url=https://web.archive.org/web/20201028233929/https://github.com/Nomade040/length-disassembler |url-status=live }}</ref> Tiny x86 Length Disassembler<ref>{{Cite web |url=https://github.com/greenbender/lend |title=Tiny x86 Length Disassembler |website=[[GitHub]] |access-date=2019-12-10 |archive-date=2020-10-31 |archive-url=https://web.archive.org/web/20201031180422/https://github.com/greenbender/lend |url-status=live }}</ref> and Extended Length Disassembler Engine for x86-64.<ref>{{Cite web |url=https://github.com/GiveMeZeny/fde64 |title=Extended Length Disassembler Engine for x86-64 |website=[[GitHub]] |access-date=2019-12-10 |archive-date=2020-10-08 |archive-url=https://web.archive.org/web/20201008232417/https://github.com/GiveMeZeny/fde64 |url-status=live }}</ref>

== See also ==
* [[Control-flow graph]]
* [[Data-flow analysis]]
* [[Decompiler]]

== References ==
{{Reflist|refs=
<ref name="Paul_1997_NWDOSTIP">{{cite book |title=NWDOS-TIPs &mdash; Tips & Tricks rund um Novell DOS 7, mit Blick auf undokumentierte Details, Bugs und Workarounds |chapter=Kapitel II.5. Allgemeines: Undokumentierte Möglichkeiten von DEBUG |trans-chapter=Undocumented features of DEBUG |series=MPDOSTIP |author-first=Matthias R. |author-last=Paul |date=1997-07-30 |edition=3 |language=de |url=http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm |access-date=2014-09-06 |url-status=live |archive-url=https://web.archive.org/web/20170910194752/http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm |archive-date=2017-09-10}} (NB. NWDOSTIP.TXT is a comprehensive work on [[Novell DOS 7]] and [[OpenDOS 7.01]], including the description of many undocumented features and internals. It is part of the author's yet larger MPDOSTIP.ZIP collection maintained up to 2001 and distributed on many sites at the time. The provided link points to a HTML-converted older version of the NWDOSTIP.TXT file.)</ref>
<ref name="Sourcer_1989">{{cite book |title=Sourcer - Commenting Disassembler |publisher=[[V Communications|V Communications, Inc.]] |edition=September 1989 |year=1988 |id=Part Number S0989-164 |url=https://archive.org/stream/SOURCERCOMMENTINGDISASSEMBLER/SOURCER%20COMMENTING%20DISASSEMBLER_djvu.txt |access-date=2019-12-21}}</ref>
}}

==Further reading==
* {{cite book |author-first1=Lori |author-last1=Vinciguerra |author-first2=Linda |author-last2=M. Wills |author-first3=Nidhi |author-last3=Kejriwal |author-first4=Paul |author-last4=Martino |author-first5=Ralph L. |author-last5=Vinciguerra |title=10th Working Conference on Reverse Engineering, 2003. WCRE 2003. Proceedings. |chapter=An experimentation framework for evaluating disassembly and decompilation tools for C++ and java |s2cid=10398240 |doi=10.1109/WCRE.2003.1287233 |isbn=0-7695-2027-8 |pages=14–23 |date=2003}}
* {{cite journal |author-first1=Benjamin |author-last1=Schwarz |author-first2=Saumya |author-last2=Debray |author-first3=Gregory |author-last3=Andrews |title=Disassembly of Executable Code Revisited |location=Department of Computer Science, [[University of Arizona]] |journal=Proceedings of 9th Working Conference on Reverse Engineering (WCRE) |pages=45–54 |date=2002|citeseerx=10.1.1.85.6387 }}

==External links==
{{Wiktionary|disassembler}}
* [[b:X86 Disassembly/Disassemblers and Decompilers|List of x86 disassemblers in Wikibooks]]
* [http://www.program-transformation.org/Transform/DisAssembly Transformation Wiki on disassembly]
* [http://boomerang.sourceforge.net/ Boomerang] A general, open source, retargetable decompiler of machine code programs
* [http://www.onlinedisassembler.com/ Online Disassembler] {{Webarchive|url=https://web.archive.org/web/20120426144633/http://www.onlinedisassembler.com/ |date=2012-04-26 }}, a free online disassembler of arms, mips, ppc, and x86 code

{{Authority control}}

[[Category:Disassemblers| ]]
[[Category:Debugging]]
[[Category:Reverse engineering]]