Disassembler

Summary

A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. The output of disassembly is typically formatted for human-readability rather than for input to an assembler, making disassemblers primarily a reverse-engineering tool. Common uses include analyzing the output of high-level programming language compilers and their optimizations, recovering source code when the original is lost, performing malware analysis, modifying software (such as binary patching), and software cracking.

A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language.

Assembly language source code generally permits the use of constants and programmer comments. These are usually removed from the assembled machine code by the assembler. If so, a disassembler operating on the machine code would produce disassembly lacking these constants and comments; the disassembled output becomes more difficult for a human to interpret than the original annotated source code. Some disassemblers provide a built-in code commenting feature where the generated output gets enriched with comments regarding called API functions or parameters of called functions. Some disassemblers make use of the symbolic debugging information present in object files such as ELF. For example, IDA allows the human user to make up mnemonic symbols for values or regions of code in an interactive session: human insight applied to the disassembly process often parallels human creativity in the code writing process.

Challenges

edit

It is not always possible to distinguish executable code from data within a binary. While common executable formats, such as ELF and PE, separate code and data into distinct sections, flat binaries do not, making it unclear whether a given location contains executable instructions or non-executable data. This ambiguity might complicate the disassembly process.

Additionally, CPUs often allow dynamic jumps computed at runtime, which makes it impossible to identify all possible locations in the binary that might be executed as intructions

On computer architectures with variable-width instructions, such as in many CISC architectures, more than one valid disassembly may exist for the same binary.

Disassemblers also cannot handle code that changes during execution, as static analysis cannot account for runtime modifications.

Encryption, packing, or obfuscation are often applied to computer programs, especially as part of digital rights management to deter reverse engineering and cracking. These techniques pose additional challenges for disassembly, as the code must first be unpacked or decrypted before meaningful analysis can begin.

Examples of disassemblers

edit

A disassembler can be either stand-alone or interactive. A stand-alone disassembler generates an assembly language file upon execution, which can then be examined. In contrast, an interactive disassembler immediately reflects any changes made by the user. For example, if the disassembler intially treats a section of the program as data rather than code, the user can specify it as code. The disassembled code will then be updated and displayed instantly, allowing the user to analyze it and make further changes during the same session.

Any interactive debugger will include some way of viewing the disassembly of the program being debugged. Often, the same disassembly tool will be packaged as a standalone disassembler distributed along with the debugger. For example, objdump, part of GNU Binutils, is related to the interactive debugger gdb.[1]

Disassemblers and emulators

edit

A dynamic disassembler can be integrated into the output of an emulator or hypervisor to trace the real-time execution of machine instructions, displaying them line-by-line. In this setup, along with the disassembled machien code, the disassembler can show changes to registers, data, or other state elements (such as condition codes) caused by each instructions. This provides powerful debugging information for problem resolution. However, the output size can become quite large, particularly if the tracing is active throughout the entire execution of a program. These features were first introduced in the early 1970s by OLIVER as part of its CICS debugging product and are now incorporated into the XPEDITER product from Compuware.

Length disassembler

edit

A length disassembler, also known as length disassembler engine (LDE), is a tool that, given a sequence of bytes (instructions), outputs the number of bytes taken by the parsed instruction. Notable open source projects for the x86 architecture include ldisasm,[8] Tiny x86 Length Disassembler[9] and Extended Length Disassembler Engine for x86-64.[10]

See also

edit

References

edit
  1. ^ a b "Hopper". Archived from the original on 2022-01-08. Retrieved 2022-01-25.
  2. ^ "Binary Ninja". Archived from the original on 2022-01-24. Retrieved 2022-01-25.
  3. ^ Paul, Matthias R. (1997-07-30). "Kapitel II.5. Allgemeines: Undokumentierte Möglichkeiten von DEBUG" [Undocumented features of DEBUG]. NWDOS-TIPs — Tips & Tricks rund um Novell DOS 7, mit Blick auf undokumentierte Details, Bugs und Workarounds. MPDOSTIP (in German) (3 ed.). Archived from the original on 2017-09-10. Retrieved 2014-09-06. (NB. NWDOSTIP.TXT is a comprehensive work on Novell DOS 7 and OpenDOS 7.01, including the description of many undocumented features and internals. It is part of the author's yet larger MPDOSTIP.ZIP collection maintained up to 2001 and distributed on many sites at the time. The provided link points to a HTML-converted older version of the NWDOSTIP.TXT file.)
  4. ^ "PEExplorer Windows Disassembler for Win 32-bit Program EXE DLL OCX, Code Binary Analysis Tool". Retrieved 2022-04-25.
  5. ^ "Rizin". Archived from the original on 2023-11-28. Retrieved 2023-12-09.
  6. ^ "Cutter". Archived from the original on 2023-11-28. Retrieved 2023-12-09.
  7. ^ Sourcer - Commenting Disassembler (September 1989 ed.). V Communications, Inc. 1988. Part Number S0989-164. Retrieved 2019-12-21.
  8. ^ "ldisasm". GitHub. Archived from the original on 2020-10-28. Retrieved 2020-02-26.
  9. ^ "Tiny x86 Length Disassembler". GitHub. Archived from the original on 2020-10-31. Retrieved 2019-12-10.
  10. ^ "Extended Length Disassembler Engine for x86-64". GitHub. Archived from the original on 2020-10-08. Retrieved 2019-12-10.

Further reading

edit
  • Vinciguerra, Lori; M. Wills, Linda; Kejriwal, Nidhi; Martino, Paul; Vinciguerra, Ralph L. (2003). "An experimentation framework for evaluating disassembly and decompilation tools for C++ and java". 10th Working Conference on Reverse Engineering, 2003. WCRE 2003. Proceedings. pp. 14–23. doi:10.1109/WCRE.2003.1287233. ISBN 0-7695-2027-8. S2CID 10398240.
  • Schwarz, Benjamin; Debray, Saumya; Andrews, Gregory (2002). "Disassembly of Executable Code Revisited". Proceedings of 9th Working Conference on Reverse Engineering (WCRE). Department of Computer Science, University of Arizona: 45–54. CiteSeerX 10.1.1.85.6387.
edit
  • List of x86 disassemblers in Wikibooks
  • Transformation Wiki on disassembly
  • Boomerang A general, open source, retargetable decompiler of machine code programs
  • Online Disassembler Archived 2012-04-26 at the Wayback Machine, a free online disassembler of arms, mips, ppc, and x86 code