A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. The output of disassembly is typically formatted for human-readability rather than for input to an assembler, making disassemblers primarily a reverse-engineering tool. Common uses include analyzing the output of high-level programming language compilers and their optimizations, recovering source code when the original is lost, performing malware analysis, modifying software (such as binary patching), and software cracking.
A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language.
Assembly language source code generally permits the use of constants and programmer comments. These are usually removed from the assembled machine code by the assembler. If so, a disassembler operating on the machine code would produce disassembly lacking these constants and comments; the disassembled output becomes more difficult for a human to interpret than the original annotated source code. Some disassemblers provide a built-in code commenting feature where the generated output gets enriched with comments regarding called API functions or parameters of called functions. Some disassemblers make use of the symbolic debugging information present in object files such as ELF. For example, IDA allows the human user to make up mnemonic symbols for values or regions of code in an interactive session: human insight applied to the disassembly process often parallels human creativity in the code writing process.
It is not always possible to distinguish executable code from data within a binary. While common executable formats, such as ELF and PE, separate code and data into distinct sections, flat binaries do not, making it unclear whether a given location contains executable instructions or non-executable data. This ambiguity might complicate the disassembly process.
Additionally, CPUs often allow dynamic jumps computed at runtime, which makes it impossible to identify all possible locations in the binary that might be executed as intructions
On computer architectures with variable-width instructions, such as in many CISC architectures, more than one valid disassembly may exist for the same binary.
Disassemblers also cannot handle code that changes during execution, as static analysis cannot account for runtime modifications.
Encryption, packing, or obfuscation are often applied to computer programs, especially as part of digital rights management to deter reverse engineering and cracking. These techniques pose additional challenges for disassembly, as the code must first be unpacked or decrypted before meaningful analysis can begin.
A disassembler can be either stand-alone or interactive. A stand-alone disassembler generates an assembly language file upon execution, which can then be examined. In contrast, an interactive disassembler immediately reflects any changes made by the user. For example, if the disassembler intially treats a section of the program as data rather than code, the user can specify it as code. The disassembled code will then be updated and displayed instantly, allowing the user to analyze it and make further changes during the same session.
Any interactive debugger will include some way of viewing the disassembly of the program being debugged. Often, the same disassembly tool will be packaged as a standalone disassembler distributed along with the debugger. For example, objdump, part of GNU Binutils, is related to the interactive debugger gdb.[1]
A dynamic disassembler can be integrated into the output of an emulator or hypervisor to trace the real-time execution of machine instructions, displaying them line-by-line. In this setup, along with the disassembled machien code, the disassembler can show changes to registers, data, or other state elements (such as condition codes) caused by each instructions. This provides powerful debugging information for problem resolution. However, the output size can become quite large, particularly if the tracing is active throughout the entire execution of a program. These features were first introduced in the early 1970s by OLIVER as part of its CICS debugging product and are now incorporated into the XPEDITER product from Compuware.
A length disassembler, also known as length disassembler engine (LDE), is a tool that, given a sequence of bytes (instructions), outputs the number of bytes taken by the parsed instruction. Notable open source projects for the x86 architecture include ldisasm,[8] Tiny x86 Length Disassembler[9] and Extended Length Disassembler Engine for x86-64.[10]